Remote data mirroring having preselection of automatic recovery or intervention required when a disruption is detected

ABSTRACT

Two data storage systems are interconnected by a data link for remote mirroring of data. Each volume of data is configured as local, primary in a remotely mirrored volume pair, or secondary in a remotely mirrored volume pair. Normally, a host computer directly accesses either a local or a primary volume, and data written to a primary volume is automatically sent over the link to a corresponding secondary volume. Each remotely mirrored volume pair can operate in a selected synchronization mode including synchronous, semi-synchronous, adaptive copy--remote write pending, and adaptive copy--disk. A number of automatic and non-automatic recovery mechanisms are provided on a logical volume basis for a desired level of data integrity and degree of operator or application program involvement. If a &#34;volume domino&#34; mode is enabled for a remotely mirrored volume pair, access to a volume of the pair is denied when the other volume is inaccessible. In a &#34;links domino&#34; mode, access to all remotely mirrored volumes is denied when remote mirroring is disrupted by an all-links failure. The domino modes can be used to initiate application-based recovery, for example, recovering a secondary data file using a secondary log file. In an overwrite cache mode, remote write-pending data in cache can be overwritten. In a &#34;log-in-cache&#34; mode, multiple versions of write data can be stored in cache in order to recover from a &#34;rolling disaster&#34;.

RELATED APPLICATION

This Application is a divisional of U.S. patent application Ser. No.08/654,511 filed May 28, 1996, entitled REMOTE DATA MIRRORING by Yanaiet al, issued as U.S. Pat. No. 5,742,792 on Apr. 21, 1998.

FIELD OF THE INVENTION

This invention relates to data storage, and more particularly, to asystem and method for automatically providing and maintaining a copy ormirror of data stored at a location remote from the main or primary datastorage device.

BACKGROUND OF THE INVENTION

Nearly all data processing system users are concerned with maintainingback-up data in order to insure continued data processing operationsshould their data become lost, damaged, or otherwise unavailable.

Large institutional users of data processing systems which maintainlarge volumes of data such as banks, insurance companies, and stockmarket traders must and do take tremendous steps to insure back up dataavailability in case of a major disaster. These institutions recentlyhave developed a heightened awareness of the importance of data recoveryand back-up in view of the many natural disasters and other world eventsincluding the bombing of the World Trade Center in New York City.

Currently, data processing system users often maintain copies of theirvaluable data on site on either removable storage media, or in asecondary "mirrored" storage device located on or within the samephysical confines of the main storage device. Should a disaster such asfire, flood, or inaccessibility to a building occur, however, both theprimary as well as the secondary or backed up data will be unavailableto the user. Accordingly, more data processing system users arerequiring the remote storage of back up data.

One prior art approach at data back-up involves taking the processor outof service while back-up tapes are made. These tapes are then carriedoff premises for storage purposes. Should access to the backed up databe required, the proper tape must be located, loaded onto a tape drive,and restored to the host system requiring access to the data. Thisprocess is very time consuming and cost intensive, both in maintainingan accurate catalog of the data stored on each individual tape, as wellas storing the large number of tapes required to store the large amountsof data required by these institutions. Additionally and mostimportantly, it often takes twenty-four hours before a back-up tapereaches its storage destination during which time the back-up data isunavailable to the user.

Additionally, today's systems require a significant amount of planningand testing in order to design a data recovery procedure and assign datarecovery responsibilities. Typically, a disaster recovery team musttravel to the test site carrying a large number of data tapes. The teamthen loads the data onto disks, makes the required network connections,and then restores the data to the "test" point of failure so processingcan begin. Such testing may take days or even weeks and always involvessignificant human resources in a disaster recovery center or back-upsite.

Some providers of prior art data storage systems have proposed a methodof data mirroring whereby one host Central Processing Unit (CPU) orprocessor writes data to both a primary, as well as a secondary, datastorage device or system. Such a proposed method, however, overlyburdens the host CPU with the task of writing the data to a secondarystorage system and thus dramatically impacts and reduces systemperformance.

Accordingly, what is required is a data processing system whichautomatically and asynchronously, with respect to a first host system,generates and maintains a back-up or "mirrored" copy of a primarystorage device at a location physically remote from the primary storagedevice, without intervention from the host which seriously degrades theperformance of the data transfer link between the primary host computerand the primary storage device.

SUMMARY OF THE INVENTION

This invention features a system which controls storing of primary datareceived from a primary host computer on a primary data storage system,and additionally controls the copying of the primary data to a secondarydata storage system controller which forms part of a secondary datastorage system, for providing a back-up copy of the primary data on thesecondary data storage system which is located in a remote location fromthe primary data storage system. For remote copying of data from onestorage system to the other without host involvement, the primary andsecondary data storage system controllers are coupled via at least onehigh speed communication link such as a fiber optic link driven by LED'sor laser. The high speed communication link also permits one datastorage system to read or write data to or from the other data storagesystem.

At least ore of the primary and secondary data storage systemcontrollers coordinates the copying of primary data to the secondarydata storage system and at least one of the primary and secondary dataStorage system controllers maintains at least a list of primary datawhich is to be copied to the secondary data storage device.

Additionally, the secondary data storage system controller provides anindication or acknowledgement to the primary data storage systemcontroller that the primary data to be copied to the secondary datastorage system in identical form as secondary data has been received or,in another embodiment, has actually been written to a secondary datastorage device.

Accordingly, data may be transferred between the primary and secondarydata storage system controllers synchronously, when a primary hostcomputer requests writing of data to a primary data storage device, orasynchronously with the primary host computer requesting the writing ofdata to the primary data storage system, in which case the remote datacopying or mirroring is completely independent of and transparent to thehost computer system.

At least one of the primary data storage system controller and thesecondary data storage system controller maintains a list of primarydata which is to be written to the secondary data storage system. Oncethe primary data has been at least received or optionally stored on thesecondary data storage system, the secondary data storage systemcontroller provides an indication or acknowledgement of receipt orcompleted write operation to the primary data storage system.

At such time, the primary and/or secondary data storage systemcontroller maintaining the list of primary data to be copied updatesthis list to reflect that the given primary data has been received byand/or copied to the secondary data storage system. The primary orsecondary data storage system controllers and/or the primary andsecondary data storage devices may also maintain additional lists foruse in concluding which individual storage locations, such as tracks ona disk drive, are invalid on any given data storage device, which datastorage locations are pending a format operation, which data storagedevice is ready to receive data, and whether or not any of the primaryor secondary data storage devices are disabled for write operations.

The remote mirroring facility can operate in a specified one of a numberof different remote mirroring operating modes for each volume. Theoperating modes include a synchronous mode, a semi-synchronous mode, anadaptive copy--write pending mode, and an adaptive copy-disk mode. Theoperating mode for each logical volume can be specified to best suit thepurposes of the desired remote mirroring, the particular applicationusing the volume, and the particular use of the data stored on thevolume.

In the synchronous mode, data on the primary (R1) and secondary (R2)volumes are always fully synchronized at the completion of an I/Osequence. The data storage system containing the primary (R1) volumeinforms the host that an I/O sequence has successfully completed onlyafter the data storage system containing the secondary (R2) volumeacknowledges that it has received and checked the data. All accesses(reads and writes) to the remotely mirrored volume to which a write hasbeen performed are suspended until the write to the secondary (R2)volume has been acknowledged.

In the semi-synchronous mode, the remotely mirrored volumes (R1, R2) arealways synchronized between the primary (R1) and the secondary (R2)prior to initiating the next write operation to these volumes. The datastorage system containing the primary (R1) volume informs the host thatan I/O sequence has successfully completed without waiting for the datastorage system containing the secondary (R2) volume to acknowledge thatit has received and checked the data. Thus, a single secondary (R2)volume may lag its respective primary volume (R1) by only one write.Read access to the volume to which a write has been performed is allowed(steps 405, 403) while the write is in transit to the data storagesystem containing the secondary (R2) volume.

The adaptive copy modes transfer data from the primary (R1) volume tothe secondary (R2) volume and do not wait for receipt acknowledgment orsynchronization to occur. The adaptive copy modes are responsive to auser-configurable skew parameter specifying a maximum allowable writepending tracks. When the maximum allowable write pending tracks isreached, then write operations are suspended, and in a preferredarrangement, write operations are suspended by defaulting to apredetermined one of the synchronous Dr asynchronous modes. In theadaptive copy--write pending mode, the write pending tracks accumulatein cache. In the adaptive copy--disk mode, the write pending tracksaccumulate in disk memory.

In accordance with a basic aspect of the invention, there are provided anumber of automatic and non-automatic recovery mechanisms. The recoverymechanism can be also selected on a logical volume basis for a desiredlevel of data integrity and degree of operator or application programinvolvement. The invention also provides various options that provide atradeoff between the degree of data integrity, cache loading, processingspeed, and link traffic.

In one embodiment, cache loading and processing speed is enhanced byqueuing pointers to data in cache for transmission to the link, andpermitting pending write data to be overwritten in cache. Link trafficcan also be reduced in this case, since obsolete write pending data neednot be transmitted over the link. However, unless the remote mirroringis operated in the synchronous mode, data integrity is subject to thepossibility of a "rolling disaster." In the rolling disaster, a remotemirroring relationship exists between the two data storage systems. Alllinks break between the sites, and application processing continuesusing the primary (R1) volumes. The links are restored, andresynchronization commences by copying data from the primary (R1)volumes to the secondary (R2) volumes. Before resynchronization isfinished, however, the primary volumes are destroyed, and the attempt atresynchronization has further corrupted the secondary volumes, due tothe cache overwrite option.

The invention provides options other than the synchronous andsemi-synchronous operating modes to avoid the "rolling disaster"possibility when performing automatic recovery. One option is to suspendprocessing whenever the host requests a write to write-pending data incache. Another option is to log multiple versions of tracks containingremote pending data.

Another aspect of the present invention provides mechanisms forselectively inhibiting automatic or manual recovery when automatic ormanual recovery would be inappropriate.

In accordance with another aspect of the invention, automatic recoveryis selectively inhibited by domino modes. If a "volume domino mode" isenabled for a remotely mirrored volume pair, access to a volume of theremotely mirrored volume pair is denied when the other volume isinaccessible. In a "links domino mode," access to all remotely mirroredvolumes is denied when remote mirroring is disrupted by an all-linksfailure.

The domino modes can be used to initiate application-based recovery inlieu of automatic recovery. In one application-based recovery scheme, anapplication program maintains a log file of all writes ("before" or"after" images) to a data file. To ensure recovery, the applicationprogram always writes data to the primary (R1) copy of the log filebefore it is written to the primary (R1) copy of the data file. Thedegree of synchronization between the secondary (R2) and primary (R1)copies is selected so that the remote mirroring facility always writesdata to the secondary (R2) copy of the log file before it is written tothe secondary (R2) copy of the data file. Therefore, in the case of anall-links failure where host processing continues so far beyond thefailure that all versions of the following updates are not retained, thesecondary (R2) copy of the data file can be recovered if the primary(R1) copies are destroyed. In this case, if the secondary (R2) copy ofthe data file is corrupted, it is recovered using the changes recordedin the secondary (R2) copy of the log file.

In accordance with yet another aspect of the invention, there isprovided host remote mirroring software for permitting a system operatoror host application program to monitor and control remote mirroring,migration, and recovery operations. The host remote mirroring softwareprovides the capability of changing the configuration of the remotelymirrored volumes in the data processing system, suspending and resumingremote mirroring for specified remotely mirrored volume pairs,synchronizing specified remotely mirrored volume pairs and notifying thesystem operator or host application program when synchronization isachieved, invalidating or validating specified remotely mirrored volumepairs, and controlling or limiting the direction of data transferbetween the volumes in a specified remotely mirrored pair.

The present invention therefore provides a data storage system whichachieves nearly 100 percent data integrity by assuring that all data iscopied to a remote site, and in those cases when a back-up copy is notmade due to an error of any sort, an indication is stored that the datahas not been copied, but instead must be updated at a future time. Thesystem operator or application programmer is free to choose a variety ofremote mirroring and recovery operations best suited for a desiredprocessing speed and level of data integrity.

Such a system is provided which is generally lower in cost and requiressubstantially less manpower and facilities to achieve than the prior artdevices.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features and advantages of the present invention will bebetter understood when read together with the following drawingswherein:

FIG. 1 is a block diagram illustrating the system with remote datamirroring according to the present invention;

FIG. 2 is a schematic representation of a portion of an index or listmaintained by the system of the present invention to determine variousfeatures including which primary data has been copied to a secondarydisk;

FIG. 3 is a schematic representation of an additional list or indexmaintained by the system of the present invention to keep track ofadditional items including an invalid data storage device track, deviceready status and write disable device status;

FIG. 4 is a block diagram showing a preferred construction for theremotely mirrored primary and secondary data storage systems and links;

FIG. 5 is a block diagram of a short distance option for linking twogeographically separated data storage systems;

FIG. 6 is a block diagram of a long distance option for linking twogeographically separated data storage systems;

FIG. 7 is a first portion of a flowchart showing the operation of achannel adapter when providing data access in the synchronous andsemi-synchronous remote mirroring modes;

FIG. 8 is a second portion of the flowchart showing the operation of achannel adapter when providing data access in the synchronous andsemi-synchronous remote mirroring modes;

FIG. 9 is a flowchart showing a modification of FIG. 7 for adaptive copyremote mirroring modes;

FIG. 10 is a flowchart showing operation of a data storage system when ahost requests a state change to a secondary (R2) volume in the datastorage system;

FIG. 11 is a flowchart showing operation of a channel adapter whenresponding to various failures depending on whether or not an "all-linksdomino mode" or a "volume domino mode" is enabled;

FIG. 12 is a block diagram illustrating the use of an application-basedrecovery program in a data processing system employing remotely-mirroreddata storage systems;

FIG. 13 is a flowchart showing the invocation and execution of theapplication-based recovery program for the data processing system ofFIG. 12;

FIG. 14 is a first portion of a flowchart showing an iterative routinefor migrating a volume concurrent with host access to the volume;

FIG. 15 is a second portion of the flowchart begun in FIG. 14;

FIG. 16 is a flowchart showing how a channel adapter maintains remotewrite pending bits, remote invalid bits, and remote invalid track countsin the data processing system of FIG. 4;

FIG. 17 is a flowchart showing an iterative routine using the remotewrite pending bits, remote invalid bits, and remote invalid track countsfor migrating a volume concurrent with host access to the volume;

FIG. 18 is a block diagram showing data structures in the cache memoryof the data processing system of FIG. 4;

FIG. 19 is a first portion of a flowchart showing how a host processorbundles remote write commands from all of the channel command words(CCW) in a single CCW chain into a single write command transmitted overa link to a remote data storage system;

FIG. 20 is a second portion of the flowchart begun in FIG. 19;

FIG. 21 a flowchart showing the operation of a link adapter in the dataprocessing system of FIG. 4;

FIG. 22 is a first portion of a flowchart of the operation of a channeladapter when writing a record to a primary (R1) volume located in thesame data storage system containing the primary (R1) volume; and

FIG. 23 is a second portion of the flowchart begun in FIG. 22.

While the invention is susceptible to various modifications andalternative forms, specific embodiments thereof have been shown by wayof example in the drawings and will be described in detail herein. Itshould be understood, however, that it is not intended to limit theinvention to the particular forms disclosed, but to the contrary, theintention is to cover all modifications, equivalents, and alternativesfalling within the scope of the invention as defined by the appendedclaims.

DETAILED DESCRIPTION OF THE INVENTION

A. Overview

The present invention features a system which provides a remote mirroreddata storage system which contains generally identical information tothat stored on a primary data storage system. Utilizing such a system,data recovery after a disaster can be nearly instantaneous and mayrequire little, if any, human intervention. Using the present system,the data is retrieved from a remote device through the host dataprocessing system.

A system in accordance with the present invention is shown generally at10, FIG. 1, and includes at site A, which is a first geographiclocation, a host computer system 12 as is well known to those skilled inthe art. The host computer system 12 is coupled to a first and primarydata storage system 14. The host 12 writes data to and reads data fromthe primary data storage system 14.

The primary data storage system 14 includes a primary data storagesystem controller 16 which receives data from the host 12 over datasignal path 18. The primary data storage system controller 16 is alsocoupled to a storage device 20 which may include a plurality of datastorage devices 22a-22c. The storage devices may include disk drives,optical disks, CD's or other data storage devices. The primary systemcontroller 16 is coupled to the storage device 20 by means of datasignal path 24.

The primary data storage system controller 16 includes at least onechannel adapter (C.A.) 26 which is well known to those skilled in theart and interfaces with host processing system 12. Data received fromthe host is typically stored in cache 28 before being transferredthrough disk adapter (D.A.) 30 over data signal path 24 to the primarystorage device 20. The primary data storage controller 16 also includesa data director 32 which executes one or more sets of predeterminedmicro-code to control data transfer between the host 12, cache memory28, and the storage device 20. Although the data director 32 is shown asa separate unit, either one of a channel adapter 26 or disk adapter 30may be operative as a data director, to control the operation of a givendata storage system controller. Such a reconfigurable channel adapterand disk adapter is disclosed in U.S. Pat. No. 5,335,352 entitledRECONFIGURABLE, MULTI-FUNCTION DATA STORAGE SYSTEM CONTROLLERSELECTIVELY OPERABLE AS AN INPUT CHANNEL ADAPTER AND A DATA STORAGE UNITADAPTER, which is fully incorporated herein by reference.

The primary data storage system 14 according to one embodiment of thepresent invention also includes a service processor 34 coupled to theprimary data storage system controller 16, and which provides additionalfeatures such as monitoring, repair, service, or status access to thestorage system controller 16.

The primary data storage system controller 16 of the present inventionalso features at least a second disk adapter 36 coupled to the internalbus 38 of the primary data processing system controller 16. The seconddisk adapter 36 is coupled, via a high speed communication link 40 to adisk adapter 42 on a secondary data storage system controller 44 of asecondary data storage system 46. Such high speed, point-to-pointcommunication links between the primary and secondary data processingsystem controllers 16 and 44 include a fiber optic link driven by an LEDdriver, per IBM ESCON standard; a fiber optic link driven by a laserdriver, and optionally T1 and T3 telecommunication links. Utilizingnetwork connections, the primary and secondary data storage systemcontrollers 16 and 44 may be connected to FDDI networks, T1 or T3 basednetworks and SONET networks.

The secondary data storage system 46 is located at a second sitegeographically removed from the first site. For this patent application,"geographically removed site" means not within the same building as theprimary data storage system. There are presently known data processingsystems which provide data mirroring to physically different datastorage systems. The systems, however, are generally within the samebuilding. The present invention is directed to providing complete datarecovery in case of disaster, such as when a natural disaster such as aflood or a hurricane, or man made disasters such as fires or bombingsdestroy one physical location, such as one building.

As in the case of the primary data storage system, the secondary datastorage system 46 includes, in addition to the secondary data storagesystem controller 44, a secondary data storage device 48 including aplurality of storage devices 50a-50c. The plurality of storage deviceson the secondary data storage system 46, as well as the primary datastorage system 14, may have various volumes and usages such as a primarydata storage device 50a which is primary with respect to the attachedstorage controller 44 and host 52 in the case of the secondary datastorage system 46, and the primary storage device 22a which is primarywith respect to the first or primary host 12 in the case of the primarydata storage system 14.

Additionally, each storage device, such as storage device 48, mayinclude a secondary storage volume 50b which serves as the secondarystorage for the primary data stored on the primary volume 22a of theprimary data storage system 14. Similarly, the primary data storagesystem 14 may include a secondary storage volume 22b which storesprimary data received and copied from the secondary site and dataprocessing system 46 and host 52.

Additionally, each storage device 20, 48, may include one or more localvolumes or storage devices 22c, 50c, which are accessed only by theirlocally connected data processing systems.

The secondary storage system controller 44 also includes at least afirst channel adapter 54 which may receive data from an optionallyconnected secondary host 52 or an optionally connected hotsite host orCPU 56. Optionally, the primary host 12 may include a data signal path58 directly into the channel adapter 54 of the secondary data storagesystem 46, while the optional secondary host 52 may include an optionaldata path 60 into the channel adapter 26 of the primary data storagesystem 14. Although the secondary host 52 illustrated in FIG. 1 is notrequired for remote data mirroring as described in the present patentapplication, such a host would be required for data retrieval if boththe primary host 12 as well as the primary data storage system 14 wouldbe rendered inoperative. Similarly, a hotsite host or CPU 56 mayoptionally be provided at a third geographically remote site to accessthe data stored in the secondary data storage system 46.

The high speed link 40 between the primary and secondary data storagesystems 14 and 46 is designed such that multiple links between theprimary and secondary storage system may be maintained for enhancedavailability of data and increased system performance. The number oflinks is variable and may be field upgradeable. Additionally, theservice processor 34 of the primary data storage system 14 and theservice processor 62 of the secondary data storage system 46 may also becoupled to provide for remote system configuration, remote softwareprogramming, and a host base point of control of the secondary datastorage system.

The secondary data storage system controller 44 also includes cachememory 64 which receives data from channel adapter 54 and disk adapter42, as well as disk adapter 66 which controls writing data to and fromsecondary storage device 48. Also provided is a data director 68 whichcontrols data transfer over communication bus 70 to which all theelements of the secondary data storage system controller are coupled.

An additional feature of the system of FIG. 1 is the ability todynamically reconfigure channel adapters as disk adapters and diskadapters as channel adapters, as described in U.S. Pat. No. 5,269,011entitled DYNAMICALLY RECONFIGURABLE DATA STORAGE SYSTEM WITH STORAGESYSTEM CONTROLLERS SELECTIVELY OPERABLE AS CHANNEL ADAPTERS OR STORAGEDEVICE ADAPTERS which is fully incorporated herein by reference.

The primary and secondary data storage systems may optionally beconnected by means of currently available, off-the-shelf channelextender equipment using bus and tag or ESCON interfaces.

B. Remote Mirroring Facility

The data storage system 10 of FIG. 1 is designed to provide the copyingof data from a primary data storage system to a physically remotesecondary data storage system transparent to the user, and external fromany influence of the primary host which is coupled to the primary datastorage system. The data storage system 10 is designed to operate in atleast two modes, the first being a real-time or synchronous mode whereinthe primary and secondary storage systems must guarantee that the dataexists and is stored in two physically separate data storage unitsbefore input/output completion; that is, before channel end and deviceend is returned to the primary host. Alternatively, the data storagesystem 10 is designed to operate in a point-in-time or asynchronous modewherein the data is copied to the remote or secondary data storagesystem asynchronously from the time when the primary or local dataprocessing system returns the input/output completion signal (channelend and device end) to the primary host. This eliminates any performancepenalty if the communication link between the primary and secondary datastorage systems is too slow, but creates the additional needs to managethe situation where data is not identical or in "sync" between theprimary and secondary data storage systems.

Thus, in the real time or synchronous mode, the primary data storagesystem automatically controls the duplication or copying of data to thesecondary data storage system controller transparently to the primaryhost computer. Only after data is safely stored in both the primary andsecondary data storage system, as detected by an acknowledgement fromthe secondary storage system to the primary storage system, does theprimary data storage system acknowledge to the primary host computerthat the data is synchronized. Should a disaster or facility outageoccur at the primary data storage system site, the user will simply needto initialize the application program in the secondary data storagesystem utilizing a local host (52) or a commercial hotsite CPU or host56.

The link between the primary and secondary storage system controllers 14and 46 may be maintained in a unidirectional mode wherein the primarydata storage system controller monitors and controls data copying ormirroring. Alternatively, a bi-directional implementation may be usedwherein either controller can duplicate data to the other controller,transparently to the host computer. Should a disaster or facilitiesoutage occur, recovery can be automatic with no human intervention sincethe operational host computer already has an active path (40, 58, 60) tothe data through its local controller. While offering uninterruptedrecovery, performance will be slower than in an unidirectionalimplementation due to the over head required to manage intercontrollertasks.

In the second, point-in-time or asynchronous mode of operation, theprimary data storage system transparently duplicates data to thesecondary data storage system after the primary data storage systemacknowledges to the host computer, via channel end and device end, thatthe data has been written to the storage device and the input/outputoperation has been completed. This eliminates the performance impact ofdata mirroring over long distances. Since primary and secondary data arenot synchronized, however, the primary data storage system must maintaina log file of pending data which has yet to be written to the secondarydata storage device. Such data may be kept on removable, non-volatilemedia, in the cache memory of the primary or secondary data storagesystem controller as will be explained below, or in the serviceprocessor 34, 62 of the primary or secondary data storage system.

Accordingly, a feature of the data storage system 10 is the ability of adata storage system to control the transfer or copying of data from aprimary data storage system to the secondary data storage system,independent of and without intervention from one or more host computers.Most importantly, in order to achieve optimum data mirroringperformance, such data mirroring or copying should be performedasynchronously with input/output requests from a host computer.Accordingly, since data will not be immediately synchronized between theprimary and secondary data storage systems, data integrity must bemaintained by maintaining an index or list of various criteria includinga list of data which has not been mirrored or copied, data storagelocations for which a reformat operation is pending, a list of invaliddata storage device locations or tracks, whether a given device isready, or whether a device is write-disabled. Information must also beincluded as to the time of the last operation so that the data may laterbe synchronized should an error be detected.

A feature of the system of FIG. 1 is that both the primary or secondarydata storage systems maintain a table of the validity of data in theother storage system. As disclosed in U.S. Pat. No. 5,206,939 entitledSYSTEM AND METHOD FOR DISK MAPPING AND DATA RETRIEVAL, which is fullyincorporated herein by reference, the present system maintains a list orindex, utilizing one or more flag bits, in a hierarchical structure, oneach physical and logical data storage device.

In the system of FIG. 1, however, such information is kept on bothdevices for each individual system as well as the other data storagesystem. Thus, as illustrated in FIG. 2 in the partial list or table 100,each data storage system maintains an indication of write or copypending 102 of both the primary data (M1) 104, and the secondary data(M2) 106. Similarly, an index is maintained of a pending format changesince a disk format change may be accomplished. The format pending bits108 including a first primary bit 110 and a second secondary bit 112indicate that a format change has been requested and such change must bemade on the disk.

Thus, when a host computer writes data to a primary data storage system,it sets both the primary and secondary bits 104, 106 of the writepending bits 102 when data is written to cache. For these examples, theM1 bit will refer to the primary data storage system and the M2 bit willrefer to the secondary data storage system. When the primary datastorage system controller's disk adapter writes the data to the primarydata storage device, it will reset bit 104 of the write pendingindicator bits 102. Similarly, once the secondary data storage systemhas written the data to the secondary data storage device, the secondarydata storage write pending indicator bit 106 will be reset.

The service processors in one embodiment of the present invention willperiodically scan the index table for write pending indicator bits andinvoke a copy task which copies the data from the primary data storagedevice to the secondary data storage device. In addition, one or more ofthe spare index or table bits 114, 116 may be utilized to store otherdata such as time stamp, etc.

In addition to the write pending and format pending bits describedabove, the data storage system 10 also includes several additionalgeneral purpose flags to assist in error recovery. As shown in FIG. 3,invalid track flags 120 including primary bit 122 and secondary bit 124are utilized and maintained on each data storage device to indicate thatthe data storage location such as a track, does not contain valid data.Another background task running on he data storage system such as in theservice processor or storage system controller constantly checks invalidtrack bits on each data storage device, and if a bit is found to be set,the copy task is invoked to copy the data from the known good device tothe device with the invalid flag track set. Additional flags may beprovided such as the device ready flags 126 including bits 128 and 130which serve to indicate that the device is ready. Similarly, writedisable flags 132 may be provided which indicate that a particularprimary device or drive 134 or secondary device or drive 136 canpresently not be written to. Data can still be copied to the good orenabled drive and then later copied to the disabled drive. If one driveor device is bad, the present invention will set all tracks of thatdrive as not valid to later cause a copy of all the data.

Accordingly, each data storage device keeps data validity informationabout its mirrored device. If for some reason a device is notaccessible, either the primary or the secondary device, every new writecommand goes to the accessible mirrored device along with informationthat the not accessible device has a track which is not valid. As soonas the non-accessible device becomes accessible, then automatically, asa background operation, the drives re-synchronize. In the case when aspecific track is not shown on both the primary and secondary storagesystem, an indication of such will be assigned and the user will bealerted. A utility operating on the service processors will give theuser a report of all the non-valid (out of sync) tracks. This report canbe transferred from one site to another over the link 63, FIG. 1, thatconnects the two service processors 34, 62.

C. Communication Link Options

As introduced above with respect to FIG. 1, the disk adapters 36 and 42are configured for interconnecting the primary data storage system 14 tothe secondary storage system via the high-speed link 40. Further detailsof various link options are shown in FIGS. 4 to 6.

FIG. 4 shoes a data processing system 210 having a host centralprocessing unit 212, a primary data storage system 214, and a secondarydata storage system 246. In the preferred construction shown in FIG. 4,the primary and secondary data storage systems 214, 246 are integratedcached disk arrays having dual, redundant internal and external datalinks. In particular, the primary date storage system 214 has dualinternal busses 238, 239 from a dual-port cache 228, dual channeladapters 226, 227, dual disk adapters 230, 231, and dual link adapters236, 237. The host 212 at site A is connected to each of the dualchannel adapters 226, 227 via respective channel links 218, 219. Thesecondary data storage system 246 is connected to the dual link adapters236, 237 in the primary data storage system 214 via respectivecommunicative links 240, 241. The secondary data storage system 246 isalso connected to the primary data storage system via dual signal paths263, 265 from a dual-port service processor 234.

Data storage 220 in the primary data storage system 214 is provided byan array of dual-port disk drives 223a, 223b, 223c, 223d. Each of thedisk drives 223a, 223b, 223c, 223d, is connected to each of the diskadapters 230, 231 by a respective fiber channel loop 225, 229. Forincreased data storage capacity, additional disk drives could beinserted into the fiber channel loops 225, 229, and additional diskadapters could be included in the primary data storage system toaccommodate additional fiber channel loops of additional disk drives.

As shown in FIG. 4, the secondary data storage system 246 preferably hasthe same construction as the primary data storage system 214, and couldbe linked to the host central processing unit 212 via redundant signalpaths 258, 259. The data processing system 210 in FIG. 4 can beconfigured for remote mirroring from a user interface of the serviceprocessor 234 in the primary data storage system. The host centralprocessing unit 212 can also be provided with optional host remotemirroring (RM) software 213 so that the data processing system can beconfigured and monitored from a user interface of the host centralprocessing unit. Host application programs can also interface with theremote mirroring facility of the data storage systems 214, 246 via theoptional host remote mirroring (RM) software 213. An optional hostcentral processing unit 252 could be located at the remote site of thesecondary data storage system 246, and linked to each of the primary andsecondary data storage systems 214, 246 via redundant signal paths.

The communication links 240, 241 from the dual link adapters 236, 237are preferably IBM ESCON standard fiber-optic links. An ESCONfiber-optic link, with continuous optical fiber, can link primary andsecondary data storage systems spaced by up to 3 kilometers apart. ESCONlinks between primary and secondary storage units can be extended byrepeaters or interfaces to T3 or E3 circuits. In practice, it isdesirable to standardize link configurations to two options; namely, arelatively short distance option for distances up to about 60 kilometers(37.5 miles) between the primary and secondary storage units, and arelatively long distance option for distances greater than about 60kilometers between the primary and secondary data storage systems. Ineach case, each link adapter has a standard two-port IBM specificationLED multimode ESCON interface. It is desirable to provide a minimum oftwo and a maximum of at least eight link adapters in each data storagesystem.

Shown in FIG. 5 is the short distance option for interconnecting anintegrated cached disk array 301 having link adapters 302, 303 to aremote integrated cached disk array 304 having link adapters 305, 306.Repeaters 307, 308 interface the ESCON channels from each of the linkadapters 302, 305 to a private fiber or leased common carrier circuit309 providing a static connection. In a similar fashion, repeaters 310,311 interface the ESCON channels from each of the link adapters 303, 306to a private fiber or leased common carrier circuit 312 providing astatic connection. The repeaters 306, 307, 310, 311 are IBM 9032/9033ESCON Directors or 9036 Remote Channel Extenders. These standard ESCONDirectors or Remote Channel Extenders may be used in multiple 20kilometer hops. In general, for the short distance option, the links canbe any combination of multimode fiber, ESCON Directors, Remote ChannelExtenders, and single-mode fiber to achieve the maximum link distance of60 km.

Shown in FIG. 6 is the long distance option for interconnecting anintegrated cached disk array 321 having link adapters 322, 323 to anintegrated cached disk array 324 having link adapters 325, 326. ESCON toT3/E3 converters 327, 328 interface the ESCON channels from each of thelink adapters 322, 325 to a T3 or E3 circuit 329. In a similar fashion,repeaters 330, 331 interface the ESCON channels from each of the linkadapters 303, 306 to a T3 or E3 circuit 332. A suitable ESCON to T3/E3converter may include Data Switch Corporation Model 9800 MAX (MultipleArchitecture Extender). The 9000 MAX accepts up to four ESCON inputs,and multiplexes the data across 1 or 2 lines. T3 and E3 are copper orfiber-based telecommunications circuit. T3 is available in NorthAmerica, and E3 is available in Europe. T3 has a bandwidth of 44.5megabits per second, and E3 has a bandwidth of 34.5 megabits per second.A T3 or E3 circuit is sometimes referred to as "broad band". A T3/E3circuit can be "fragmented", subdivided for multiple application or useraccess, or be dedicated point-to-point.

Data channels between a host and a storage system remote from the hostcan be constructed in a fashion similar to the links shown in FIGS. 5 or6.

D. Initial Synchronization

Once the physical links are established between the primary andsecondary data storage systems, and the user specifies which logicalstorage devices or volumes are to be remotely mirrored, appropriatemicrocode is loaded into the data storage systems. It is also possiblethat the primary and secondary logical volumes could also be configuredfor local mirroring for enhanced redundancy. Alternatively, localredundancy could employ techniques for distributing the data bits ofeach byte or word of data in a logical device or volume across amultiplicity of physical disk drives in various ways known as levels ofRAID (redundant arrays of inexpensive disks).

RAID techniques are described in the following publications: Pattersonet al., "A Case for Redundant Arrays of Inexpensive Disks (RAID),"Report No. UCB/CSD 87/391, Computer Science Division (EECS), Universityof California, Berkeley, Calif., December 1987 (pages 1 to 24);Patterson et al., "Introduction to Redundant Arrays of Inexpensive Disks(RAID)," COMPCON 89 Proceedings, Feb. 27-Mar. 3, 1989, IEEE ComputerSociety, pp. 112-117; Ousterhout et al., "Beating the I/O Bottleneck: ACase for Log-Structured File Systems," Operating Systems Review, Vol.23, No. 1, ACM Press, January, 1989, pp. 11-28; Douglis et al., "LogStructured File Systems," COMPCON 89 Proceedings, Feb. 27-Mar. 3, 1989,IEEE Computer Society, pp. 124-129; and Rosemblum et al., "The Designand Implementation of a Log-Structured File System," ACM Transactions onComputer Systems, Vol. 1, February 1992, pp. 26-52; which are allincorporated herein by reference.

As soon at the communication links are established to interconnect theprimary and secondary data storage systems, synchronization of theprimary and secondary storage devices or logical volumes begins, anddata is copied from the primary (R1) devices to the secondary (R2)devices. While this initial synchronization is occurring, hostapplication input/output may be addressed to the primary (R1) devices.Typically, this application input/output is given precedence over theinitial synchronization activity.

E. Multiple Simultaneous Operating Modes for the Remote MirroringFacility

It is advantageous to provide the remote mirroring facility in thesystem 210 of FIG. 4 with multiple simultaneous operating modes bestsuited for the purposes of the desired remote mirroring. For example,remote mirroring may be used for data migration as well as for disasterrecovery, and specific operating modes will be described that are bestsuited for data migration, and others will be described that are bestsuited for disaster recovery. Data migration, for example, typicallyoccurs when a data center is moved from one geographic location toanother, or when an old data storage system is replaced with a new datastorage system.

Specific operating modes will also be described that are best suited forparticular application programs. Different application programs, forexample, may have different requirements for critically of dataintegrity. Certain application programs may have specific procedures,such as transaction processing or journaling facilities, for ensuringdata integrity relatively independent of the data integrity of the datastorage systems.

The suitability of remote mirroring may also depend on the particularuse or purpose of a dataset. Data bases, logs, catalogs, systemresidence volumes, and program libraries are excellent candidates forremote mirroring. Multiple logs when placed on separate logical volumeson different physical devices also aid business operations recovery inthe event of a disaster. Page, spool, work, and sort datasets, however,are poor remote mirroring candidates as they are write-intensive oftento only a small number of volumes.

To provide multiple simultaneous remote mirroring operating modes forspecific applications, the remote mirroring facility defines anoperating mode for each logical volume of data in the storage devices inthe primary and secondary data storage systems 214, 246. Each logicalvolume may include a number of logical tracks of data and may reside onone or more disk drives in either the primary or secondary data storagesystem 214, 246.

Each logical volume has a logical volume type that is either primary,secondary, or local. A local logical volume does not participate inremote mirroring. A pair (R1, R2) of respective primary (R1) andsecondary (R2) logical volumes participates in remote mirroringaccording to either a synchronous mode, a semi-synchronous mode, anadaptive copy--write pending mode, or an adaptive copy--risk mode, aswill be further described below.

The operational modes are selectable at the logical volume level basedon the performance, distance, and speed of recovery requirements. Allprimary (R1) volumes are configured for either the synchronous orsemi-synchronous mode. These two modes are considered to bepre-determined remote mirroring modes. In addition, the primary (R1)volumes (all, individual, or a range) may also be configured for theadaptive copy--write pending or adaptive copy--disk mode. Each volumeconfigured for adaptive copy also has an associated "skew" parameter. Inthe adaptive copy--write pending mode, this skew parameter is themaximum write pending threshold. In the adaptive copy--disk mode, thisskew parameter is the maximum invalid tracks threshold. This skew valuemay he set to the same value for all adaptive copy volumes or be adifferent value for each adaptive copy volume. The adaptive copy modeand its skew value may be enabled (or disabled) for individual remotelymirrored pairs or all remotely mirrored pairs using remote mirroringcommands.

(1) Synchronous Mode

In the synchronous mode, data on the primary (R1) and secondary (R2)volumes are always fully synchronized at the completion of an I/Osequence. The data storage system containing the primary (R1) volumeinforms the host that an I/O sequence has successfully completed onlyafter the data storage system containing the secondary (R2) volumeacknowledges that it has received and checked the data.

In particular, when the data storage system containing the primary (R1)volume has valid data in cache destined for a secondary (R2) volume, alink adapter transfers data over its link path to the cache in the datastorage system housing the secondary (R2) volume. This data transferoccurs while the data storage system containing the primary (R1) volumecontinues to process input/output commands. If the data storage systemcontaining the primary (R1) volume does not receive acknowledgment of asuccessful transfer from the other data storage system within a timeoutperiod or another failure occurs that prevents the data transfer, thedata storage system containing the primary (R1) volume sends a "unitcheck" with appropriate sense bytes to the host.

In a CKD environment, the data storage system containing the primary(R1) volume sends channel end (CE) and device end (DE) to the host aftereach write to the volume with the exception of the last write in thechannel command word (CCW) chain. On the last write, the data storagesystem sends only CE to the host. When the data storage systemcontaining the secondary (R2) volume acknowledges and checks receipt ofthe last write in the chain, the data storage system containing theprimary (R1) volume sends DE to the host and the host considers theinput/output complete and starts the next input/output operation.

In an open systems environment, the data storage system containing theprimary (R1) volume handles each input/output command separately andinforms the host of successful completion when the data storage systemcontaining the secondary (R2) volume acknowledges and checks receipt ofthe data. That is, the data storage system containing the primary (R1)volume disconnects from the channel and informs the host of successfulcompletion of the input/output operation only after confirming that thedata resides in cache in both data storage systems. If a problem occurswith data synchronization, the data storage system containing theprimary (R1) volume sends a "unit check" with appropriate sense bytes tothe host. This causes the host to retry the input/output operation.These actions maintain data integrity and ensure that two copies of thedata exist real-time in both systems before the input/output completes.

The synchronous mode is recommended primarily for the short distanceoption of FIG. 5. In normal operation, this mode will have an impact onwrite performance to primary (R1) volumes. This performance impact isdue to overhead associated with remote data transfer, fiber latency, andacknowledgment of the synchronous operation.

(2) Semi-synchronous Mode

In the semi-synchronous mode, the remotely mirrored volumes (R1, R2) arealways synchronized between the primary (R1) and the secondary (R2)prior to initiating the next write operation to these volumes. The datastorage system containing the primary (R1) volume informs the host ofsuccessful completion after each write operation.

When the data storage system containing the primary (R1) volume hasvalid data in cache destined for a secondary (R2) volume, a link adaptertransfers data via an available link path to the cache in the datastorage system containing the secondary (R2) volume. This data transferoccurs while the data storage system containing the primary (R1) volumecontinues to perform additional channel commands. If the host issues anew write operation for a primary (R1) volume with a write pendingstatus, the data storage system containing the primary (R1) volumedisconnects from the host channel and returns a "non-immediate retry"message. The data storage system containing the primary (R1) volume thenstarts another input/output operation on another channel. When the writepending status is cleared (write completed and acknowledged and checkedfrom the secondary (R2) volume), the data storage system containing theprimary (R1) volume reconnects to the channel and continues processingthe write operation on the channel from which it disconnected.

The semi-synchronous mode is recommended primarily for the long distanceoption of FIG. 6. The semi-synchronous mode is designed for situationsneeding high performance at the data storage system containing theprimary (R1) volume and tolerating a gap of up to one input/output(worst case) in data synchronization. Although write operations can beheld up due to synchronization between primary (R1) and secondary (R2)volumes, read operations continue uninterrupted.

The semi-synchronous mode is most suitable for page, spool, work, andsort datasets. In some cases, spreading these datasets across multiplephysical devices may alleviate any performance impact due to a highnumber of writes.

(3) Channel Adapter Control Logic for the Pre-determined Modes

Turning now to FIGS. 7 and 8, there is shown a flowchart of channeladapter control logic for the synchronous and semi-synchronous modes. Inthe preferred implementation, this control logic is specified byprogramming for microprocessors in the channel adapters.

In FIG. 7, a first step 401 is reached when the channel adapter receivesa channel command from the host requesting data access to a volume. Itis assumed that the host is not requesting direct access to a secondary(R2) volume in the data storage system containing the channel adapter.The host may request direct access to a secondary (R2) volume duringrecovery operations, which are described below. It is also assumed thatthe channel command is not in a chain of multiple channel commands. Thechaining of multiple channel commands is described below with referenceto FIG. 19.

In the first step 401 of FIG. 7, execution branches to step 402 for aread access. In step 402, the channel adapter accesses configurationinformation, and continues to step 403 if the host is requesting accessto a local volume. Preferably, a separate copy of the configurationinformation is stored in local memory in each of the channel adaptersand link adapters. This configuration information identifies whether avolume is local, primary, or secondary, and for each primary orsecondary volume, identifies the other volume in the remotely mirroredvolume pair.

In step 403, the channel adapter accesses the cache. If the datarequested by the host is not in the cache, then the data is fetched by adisk adapter from disk storage in the data storage system, and loadedinto the cache. Then, in step 404, the channel adapter transmits thedata and a device end signal to the host, and the channel adapter hasfinished the task of servicing the channel command.

If the host channel command is requesting data in the primary (R1)volume of a remotely mirrored pair, then execution branches from step402 to step 405. In step 405, execution branches to step 403 unless thedata storage system is in the synchronous mode. For modes other than thesynchronous mode, the reading of data from a primary (R1) volume isnormally similar to the reading of data from a local volume; in eithercase, the requested data is fetched without delay from the cache or diskin step 403. Under the abnormal condition of the data being entirelyabsent from the data storage system due to a disk drive failure,however, a request for data access to a primary (R1) volume can besatisfied by obtaining the requested data from the secondary volume (R2)in the remote data storage system. The handling of such an abnormalcondition is discussed below in connection with data recoveryprocedures.

In step 406, when a remote write is not pending to the secondary (R2) ofthe requested mirrored volume, execution also branches to step 403 tofetch the requested data from the cache or disk. When a remote write ispending to the secondary (R2) of the requested mirrored volume, however,execution continues to step 407 to suspend the current read task untilthe remote data storage system acknowledges completion of the pendingremote write. Preferably, tasks suspended while waiting for completionof a pending remote write are placed on a first-in first-out (FIFO)queue of suspended tasks, and when the remote data storage systemacknowledges completion of the pending remote write, any waiting tasksin queue of suspended tasks are serviced in the order in which the taskswere placed in the queue. Once the remote data storage systemacknowledges completion of the pending remote write, and no remote writeto the secondary (R2) of the mirrored volume is pending, as tested instep 406, execution branches to step 403 to fetch the requested datafrom the cache or disk.

When the host has requested a write access, execution continues fromstep 401 to step 408. In step 408, execution branches to step 409 whenthe host has requested a write access to a volume that is local. In step409, data from the host is written to cache, and the track tables areupdated to reflect that the old data on disk is invalid in view of thenew data from the host, and that a write operation to disk is pendingfor the invalid track or tracks on disk.

Then in step 410, a device end (DE) signal is returned to the host tosignal completion of the write operation. The signaling of thecompletion of a write operation before the data is actually written todisk is a well-known technique called "fast write." Semiconductorrandom-access memory containing the write data is backed-up by a batterysufficient to power the memory and some disk drives while the write datais transferred to the disk drives in the event of a power failure.

When the host has requested a write operation to a volume defined as amirrored volume pair, execution continues from step 408 to step 411. Instep 411, execution continues to step 412 when a remote write to thesecondary (R2) of the remotely mirrored volume is pending. In step 412,the current write task is temporarily suspended, while awaiting receiptfrom the remote data storage system of acknowledgement of completion ofthe pending remote write, as tested in step 411. When no remote writesto the secondary (R2) of the remotely mirrored volume are pending,execution branches from step 411 to step 414 in FIG. 8.

In step 414 of FIG. 8, the data from the host is written to the cache,and the track tables are updated to indicate that the track or tracksfor the new data in disk for the primary (R1) volume are invalid andhave a pending write operation to disk, and that the track or tracks forthe new data are invalid in the secondary (R2) of the remotely mirroredvolume and have a pending write to the cache in the remote data storagesystem. Due to the incorporation of the "fast write" technique ofacknowledging a write to a secondary (R2) volume when the update iswritten to cache of the data storage system containing the secondaryvolume, the remote "invalid" and "write pending" status for thesecondary (R2) volume in the track tables of the data storage systemcontaining the corresponding primary (R1) volume refers to the status ofthe secondary (R2) volume in cache or on disk; in particular, the remote"write pending" status indicates a pending write over the link to thecache in the data storage system containing the secondary (R2) volume.When the "fast write" technique is used, it is still necessary, forcarrying out the local destage or write back operation, for each datastorage system to record, for each track or data record, an indicationof whether a local destage operation is pending, and such a localdestage operation is pending when the track or record is valid and is incache but the disk drives do not have valid data for the track orrecord.

Next, in step 415, the write data from the host is written to afirst-in, first-out (FIFO) link transmission queue (504 in FIG. 18) fortransmission by a link adapter to the remote data storage system.Preferably, the entries in the queue contain pointers to the data incache. When a link adapter becomes available, it services this FIFOqueue by transmitting the data identified by the entry at the head ofthe queue across the link to the remote data storage system.

Next, in step 416, execution branches to step 417 when the data storagesystem is not in the synchronous mode. In step 417, the channel adaptertransmits a device end (DE) signal to the host, and execution continuesto step 418. Execution also continues to step 418 from step 416 when thedata storage system is in the synchronous mode.

In step 418, the current write task is suspended, until the remote datastorage system has received the write data, written the data in itscache, and has acknowledged completion of the remote write operation. Inthe short distance option, the remote acknowledgement should be receivedjust before a next remote write task sends data over the link, andtherefore it may be feasible for the link adapter to poll for the remoteacknowledgement. In the long distance option, the next remote write taskmay end data over the link well before the acknowledgement is received,so that receipt of the acknowledgement causes an interrupt re-activatingthe suspended write task. Once the data storage system receives theacknowledgement of completion of the remote write, as tested in step419, execution continues to step 420. In step 420, the track tables areupdated to indicate completion of the remote write to the cache of thesecondary (R2) volume in the remotely mirrored volume pair, so that thetrack or tracks of the new write data are valid in the secondary (R2)volume.

From the control flow in FIGS. 7 and 8, it is clear that when a hostwrites data to a remotely mirrored volume, the following sequence ofevents takes place in the synchronous mode: data is written to the cacheof the data storage system containing the primary (R1) volume (step414); an entry is placed in the FIFO link queue for transmission of thedata to the data storage system containing the secondary (R2) volume(step 415); the data storage system containing the secondary (R2) volumeacknowledges receipt of the data (step 419); the track tables aremaintained (step 420); and a device end (DE) signal is presented back tothe host that initiated the write request (step 422). In the synchronousmode, all accesses (reads and writes) to the remotely mirrored volume towhich a write has been performed are suspended (steps 407 and 412) untilthe write to the secondary (R2) volume has been acknowledged.

From the control flow in FIGS. 7 and 8, it is clear that when a hostwrites data to a remotely mirrored volume, the following sequence ofevents takes place in the semi-synchronous mode: data is written to thecache of the data storage system containing the primary (R1) volume(step 414); an entry is placed in the link FIFO queue for transmissionof the data to the data storage system containing the secondary (R2)volume (step 415); a device end (DE) signal is presented back to thehost that initiated the write request (step 417); the data storagesystem containing the secondary (R2) volume acknowledges receipt of thedata (step 419); and the track tables are maintained (step 420). In thesemi-synchronous mode, read access to the volume to which a write hasbeen performed is allowed (steps 405, 403) while the write is in transitto the data storage system containing the secondary (R2) volume. Asecond write to the volume is not allowed (steps 411, 412) until thefirst has been safely committed to the secondary (R2) volume. Thus, asingle secondary (R2) volume may lag its respective primary volume (R1)by only one write.

In the semi-synchronous mode, by presenting an earlier device end (DE)signal to the host (in step 417 instead of step 422), it is possiblethat a write operation to a different volume, logically dependent on thewrite to the first volume, will be issued by a host operating system anddata base management system. This presents no threat of datainconsistency in the data storage system, because the link transmissionqueue (step 415) is managed on a FIFO basis; the data is transmittedover the link and processed by the remote data storage system in theorder in which the data is loaded into the link transmission queue. Byinhibiting the link transmission queue from receiving any new entries(or switching all logically dependent volumes to synchronous mode), theremote data storage system will have a consistent set of data in itssecondary (R1) volumes when all entries in the queue have beentransmitted and written to the secondary (R2) volumes.

(4) Adaptive Copy--Write Pending

The adaptive copy--write pending mode transfers data from the primary(R1) volume to the secondary (R2) volume and does not wait for receiptacknowledgment or synchronization to occur. This mode keeps the data inthe secondary (R2) volume as current to the data in the primary (R1)volume as possible.

In the adaptive copy--write pending mode, the data storage systemcontaining the primary (R1) volume informs the host of successfulcompletion after each write. When the data storage system containing theprimary (R1) volume has valid data in cache for a remotely mirroredpair, it destages that data to the primary (R1) volume, and a linkadapter transfers the data over an available link path to the cache inthe data storage system containing the secondary (R2) volume. This datatransfer occurs while the data storage system containing the primary(R1) volume continues to process input/output commands. All writes forremotely mirrored pairs accumulate in the cache of the data storagesystem containing the primary (R1) volume as write pendings until thedata can be successfully written to the secondary (R2) volume and thedisk storage of the primary (R1) volume.

Should a problem arise with data transfer to the data storage systemcontaining the secondary (R2) volume or the data storage system isunable to write the data to the disk storage of the primary (R1) volume,the data storage system containing the primary (R1) volume retains thatdata in its cache until the problem can be corrected and the data issuccessfully written to the secondary (R2) volume and the disk storageof the primary (R1) volume.

The adaptive copy--write pending mode is responsive to theuser-configurable skew parameter (maximum allowable write pendingtracks) for each primary (R1) volume configured for this mode. When theskew parameter is reached, the remote mirroring operational modeswitches to the pre-determined synchronous or semi-synchronous mode forthe remotely mirrored (R1, R2) pair. When the number of write pendingtracks for the secondary (R2) volume drops below the skew value, theremote mirroring operational mode switches back to the adaptivecopy--write pending mode for the remotely mirrored pair. The skew valuemay range from 1 to 65,535, and has a default value of 65,535.

The adaptive copy--write pending mode can be enabled or disabled for oneremotely mirrored volume pair, all remotely mirrored pairs, or a rangeof remotely mirrored pairs during configuration from a user interface atthe service processor, or during operation of the optional host remotemirroring software. When the adaptive copy--write pending mode isdisabled, the remotely mirrored pairs operate in the pre-determinedsynchronous or semi-synchronous operational mode for the remotelymirrored (R1, R2) logical volume pair.

The adaptive copy--write pending mode is designed to have little or noimpact on performance between the host and the data storage systemcontaining the primary (R1) volume and to offer protection against lossof data in the unlikely event that a primary (R1) or secondary (R2)volume fails or all link paths are lost. The adaptive copy--writepending mode is ideal for situations when a large amount of data must betransferred to remote devices and performance must not be compromised atthe local site; or, for situations where it is not necessary forremotely mirrored volumes to be synchronized at all times. The remotelymirrored volumes are allowed to drift out of synchronization for higherperformance, but they stay within a pre-determined number of writependings with protection against data loss.

The adaptive copy--write pending mode of operation is convenient insituations where the write activity caused by heavy batch loads or datareorganization can severely impact performance due to the data storagesystems maintaining a full synchronous state. In these cases, the skewparameter should be set to its maximum, default value (65,535). Then theadaptive copy--write pending mode should be enabled for all remotelymirrored pairs, and data transfers begin between the primary andsecondary logical volumes.

In many systems, it is not necessary that all primary and secondarylogical volumes be fully synchronized. Logical volumes requiring fullsynchronization are configured for synchronous or semi-synchronousoperation. Those logical volumes that do not require fullsynchronization are configured for the adaptive copy--write pending modeand a low skew value (i.e., 100). When data transfers begin, such aremotely mirrored pair operates in the adaptive copy--write pending modeuntil "bursts" of high write activity cause the number of write pendingoperations to exceed the low skew value, and the remotely mirrored pairis forced to the pre-determined synchronous or semi-synchronous mode.When the number of write pending operations for the secondary (R2)volume drops below the skew value, the remotely mirrored pair returns tothe adaptive copy--write pending mode. Any new writes for the pairaccumulate in cache as write pendings. Synchronization will occur whenthe remotely mirrored pair switches to the pre-determined synchronous orsemi-synchronous mode.

For some applications, it is desirable to disable the adaptivecopy--write pending mode for specified volumes. When the data storagesystem containing the primary (R1) volume(s) receives a command todisable the adaptive copy--write pending mode, it does not achieve asynchronous or asynchronous state immediately. The remotely mirroredpairs with write pendings continue to be transferred to the secondaryvolumes (R2) in the adaptive copy-write pending mode until all writesprior to the disable command have been transferred to the respectivesecondary (R2) volumes. Then the remotely mirrored pairs achieve thesynchronous or semi-synchronous state, and writes subsequent to thedisable command are handled in the pre-determined remote mirroring mode(synchronous or semi-synchronous).

(5) Adaptive Copy--Disk Mode

The adaptive copy--disk mode transfers data from the primary (R1) volumeto the secondary (R2) volume and does not wait for receiptacknowledgment or synchronization to occur. This mode is intended to bea temporary operating mode and has little impact on performance betweenthe host and the data storage system containing the primary (R1) volume.This operational mode keeps the data in the secondary (R2) volume ascurrent to the data in the primary (R1) volume as possible.

In this mode, the data storage system containing the primary (R1) volumeacknowledges all writes to the primary (R1) volume as if they were to alocal volume. The data storage system containing the primary volumeaccumulates the new data on the primary (R1) volume marking it as"invalid tracks" for the secondary (R2) volume. Synchronization of theprimary (R1) and secondary (R2) volumes is reported to the data storagesystem containing the primary (R1) volume only. The data storage systemdoes not issue a "service alert" message to the host to notify it ofthis event.

The adaptive copy--disk mode can be enabled or disabled for one remotelymirrored volume pair, all remotely mirrored volumes, or a range ofremotely mirrored volumes, using commands entered at the serviceprocessor at the data storage system containing the primary (R1) volume,or using the host remote mirroring software. When the adaptivecopy--disk mode is disabled, the data storage systems operate in thepre-determined synchronous or semi-synchronous mode for the mirroredvolume pair (R1, R2).

The adaptive copy--disk mode uses the user-configurable skew parameter(maximum invalid tracks), that, when its value is exceeded for aremotely mirrored volume pair, causes the mode to switch to thepre-determined synchronous or semi-synchronous mode for the remotelyvolume mirrored pair. (Therefore, in any case, all write operationsbetween the remotely mirrored volumes are fully synchronized.) When thenumber of invalid tracks for a secondary (R2) volume goes below thevalue specified by the skew parameter, the Operating mode switches backto the adaptive copy--disk mode for that volume pair. The skew value,for example, may range from 1 to 999,999, and the default value is themaximum value of 999,999.

The adaptive copy--disk mode is designed for situations requiring thetransfer of large amounts of data to remote devices without loss ofperformance. Because the mode cannot fully guard against data lossshould a failure occur, this mode is recommended for temporarilytransferring a bulk of data to secondary (R2) volumes and then switchingto either synchronous or semi-synchronous mode without any adaptivecopy, or with adaptive copy--write pending mode (if some lack ofsynchronization between the remotely mirrored volume pairs can betolerated) to ensure full data protection.

The adaptive copy--disk mode is convenient in situations where it isnecessary to either migrate a data center from one location to anotheror create a mirror image of the data in a separate location without adisruption in operation. Without the use of the adaptive copy--diskmode, the write activity caused by the movement of large amounts of datacould severely impact performance, particularly in either thesynchronous or semi-synchronous mode. In this example, the large datatransfer is only a temporary condition. The skew parameter set to itsmaximum, default value, and the adaptive copy--disk mode should beenabled for all remotely mirrored pairs. When the data migration or datacopy operation has completed (or is near completion), the mode should beswitched to the synchronous, semi-synchronous, or adaptive copy--writepending mode, depending on the degree of synchronization needed betweenthe remotely mirrored volume pairs.

(6) Channel Adapter Control Logic for the Adaptive Modes

To handle the adaptive modes, a few steps in the flowchart of FIG. 7 aremodified. FIG. 9 shows the modifications. In particular, steps 431 to434 of FIG. 9 are substituted for steps 406 to 407 of FIG. 7, and steps431 to 434 of FIG. 9 are also substituted for steps 411 to 412 of FIG.7. It should be apparent that steps 432 and 433 of FIG. 9 are insertedbetween steps 406 and 407 of FIG. 7 so that when the primary mode is thesynchronous mode and a remote write to the volume is pending, thecurrent read task is not suspended in the adaptive mode (step 432) untilthe number of remote write pending tracks reaches the value of the skewparameter. In a similar fashion, steps 432 and 433 of FIG. 9 areinserted between steps 411 and 412 of FIG. 7 so that when a remote writeto the volume is pending, the current write task is not suspended in theadaptive mode (step 432) until the number of remote write pending tracksreaches the value of the skew parameter.

In order to determine whether or not any remote write is pending to asecondary (R2) volume and if so, to determine whether the number ofremote write pending tracks has reached the value of the skew parameter,the data storage system maintains in cache an "invalid tracks" countassociated with each logical volume. The "invalid tracks" counts for thevolumes are set to zero during the initial configuration of the system,and an "invalid tracks" count of zero indicates that the secondary (R2)volume is fully synchronized with its respective primary (R1) volume.The data storage system containing the primary (R1) volume incrementsthe "invalid tracks" count each time a write operation for the secondary(R2) volume is placed in the FIFO link transmission queue fortransmission over the communication link to the data storage systemcontaining the secondary (R2) volume (step 415 of FIG. 8), anddecremented each time that the data storage system containing theprimary (R1) volume receives an acknowledgement of completion of thewrite operation in the remote data storage system (steps 419 to 420 inFIG. 8). Therefore, in step 431 of FIG. 9, the "invalid tracks" countfor the secondary (R2) volume is compared to zero, and a remote write tothe volume is pending if the "invalid tracks" count is not zero. In step433 of FIG. 9, the "invalid tracks" count for the secondary (R2) volumeis compared to the skew value, and if the "invalid tracks" count isgreater or equal to the skew value, then the number of remote writepending tracks is greater or equal to the skew value.

F. Data Consistency and Host Access to Secondary (R2) Volumes

Unless the secondary (R2) volumes are synchronized to the primary (R1)volumes, the data in the secondary volumes may not be consistent. If alocal host processor is writing to the primary (R1) volumes at the sametime that a remote host processor is reading the corresponding secondary(R2) volumes, the remote processor may read inconsistent data. Forexample, the local processor may be executing a transaction thattransfers $10.00 of a client's funds between two of the client'saccounts. The local processor executes a first write that debits thefirst account by $10.00, and executes a second write that credits thesecond account by $10.00. If the remote processor reads the secondaryvolume when only the first write has been written in the secondaryvolume, and then computes the client's total funds, it will find a lossof $10.00. It is a user responsibility to ensure that the use to whichsuch read-only data is put is consistent with the possibility of datainconsistency. In general, the secondary (R2) volumes should be accessedonly after synchronization is achieved by suspending remote mirroring,and waiting until all pending remote writes have been transferred to thesecondary volumes.

If a remote host processor should perform a read/write access on aninconsistent dataset, not only is it possible that the host processorwill obtain an inconsistent result, but also the dataset may becomefurther corrupted and made worthless. Unfortunately, in the situation ofa disaster that interferes with the data storage system containing theprimary (R1) volumes, the best copy of the dataset available may residein the secondary volumes, and the user may be faced with the difficultdecision of whether the dataset should be used for a read/writeapplication, discarded, or in some way repaired with whateverinformation is available about the past history of the dataset.

It is also possible that an automatic recovery technique may furthercorrupt the dataset in the secondary (R2) volumes in the case of a"rolling disaster." In the rolling disaster, a remote mirroringrelationship exists between the two data storage systems. All linksbreak between the sites, and application processing continues using theprimary (R1) volumes. The links are restored, and resynchronizationcommences by copying data from the primary (R1) volumes to the secondary(R2) volumes. Before resynchronization is finished, however, the primaryvolumes are destroyed, and the attempt at resynchronization has furthercorrupted the secondary volumes.

Although the probability of a rolling disaster is quite low, the extentof data loss can be severe where application processing continues forsome time against the primary volumes. In this situation, it is notpractical to record a log of every single write to the primary volume.Instead, as described above for the adaptive copy modes, only the datafor the most recent write to each track is maintained in the primaryvolume, together with a record of the particular "invalid tracks" thatneed to be written to the secondary volumes to achieve synchronization.The resynchronization activity is not time-based, but rather is aprocess of copying those tracks that have changed during the outage ofthe link. Therefore, the process of attempting to bring the secondaryvolumes to the consistent state of the primary volumes existing when thelink is re-established at first tends to further corrupt the secondaryvolumes, which were nearly in a consistent state at the time of theinitial failure of the link.

The preferred embodiment of the invention addresses these problems in anumber of ways. Each write request transmitted over the link between thedata storage systems includes not only the data for the track in thesecondary (R2) volume to be updated but also the current "invalid track"count for the secondary (R2) volume as computed by the data storagesystem containing the corresponding primary (R1) volume. Therefore, oncea disaster occurs that destroys the data storage system containing theprimary volume, the data storage system containing the secondary (R2)volume has an indication of the degree of consistency of the secondary(R2) volume. The "invalid tracks" count can be used to determine anappropriate recovery operation for the volume, and can be used toselectively restrict read/write access to the volume when the userdecides that synchronization should be required for a write access.

The preferred embodiment of the invention also gives the user variousfeatures to avoid the rolling disaster by inhibiting automatic recovery.These features include a "volume domino model" that inhibits automaticaccess to one volume of a mirrored volume pair where. The other volumeis inaccessible, and a "links domino mode" that prevents access to thetwo volumes in a mirrored volume pair when all links fail. Moreover,alternative recovery procedures are provided for responding to anall-links failure in order to minimize the extent of damage caused bythe rolling disaster.

G. States of Remotely Mirrored Volumes

In the preferred implementation of remote mirroring, primary (R1) andsecondary (R2) volumes have particular states that govern host access. Aprimary (R1) volume is in either a ready state or a not ready state. Asecondary (R2) volume is in either a not ready state, a read-only state,or a read-write state. The state of the primary (R1) volume governsaccess to the primary volume by a host connected to a channel adapter ofthe data storage system containing the primary volume. The state of thesecondary (R2) volume governs access to the secondary volume by a hostconnected to a channel adapter of the data storage system containing thesecondary volume. In other words, the volume state is seen by the hostconnected to the storage system containing the volume.

The preferred embodiment of the invention defines a set of states forthe primary (R1) and secondary (R2) volumes in order to control hostaccess to the volumes. These states are set by flags in volume tables inthe cache memory of the data storage system containing the respectiveprimary (R1) or secondary (R2) volumes.

(1) Primary (R1) Volume States

(a) Primary Volume Ready

In this state, the primary (R1) volume is online to the host andavailable for read/write operations. This is the default primary (R1)volume state.

(b) Primary Volume Not Ready

In this state, the primary (R1) volume responds "interventionrequired/unit not ready" to the host for all read and write operationsto that volume. The host will also be unable to read from or write tothe secondary (R2) volume associated with that volume.

(2) Secondary (R2) Volume States

(a) Not Ready State

In this state, the secondary (R2) volume responds "interventionrequired/unit not ready" to the host for all read and write operationsto that volume. This is the default secondary (R2) volume state.

(b) Read-Only State

In this state, the secondary (R2) volume is available for read-onlyoperations.

(c) Read/Write State

In this state, the secondary (R2) volume is available for read/writeoperations.

H. "Sync Required" Attribute for Secondary Volumes

In the event of a disaster that renders all equipment at one sitenon-operational, secondary (R2) volumes on the mirrored data storagesystem at the remote site can be made available to a remote host forread-only or read/write operations by issuing commands at the serviceprocessor of the data storage system containing the secondary (R2)volumes, or by issuing commands to host remote mirroring software in theremote host. In its default configuration, all secondary (R2) volumesare not ready to the remote host. (These secondary (R2) volumes can alsobe configured for a read-only state.)

Each secondary (R2) volume has a configurable attribute, "syncrequired", for selectively preventing a secondary (R2) volume frombecoming ready to the remote host if a state change is attempted whileit is not synchronized with its primary (R1) volume. If the "syncrequired" attribute is not enabled, then all specified state changes tothe secondary (R2) volume take effect when requested. If the "syncrequired" attribute is enabled, and if the secondary (R2) volume is notsynchronized with the primary (R1) volume and not ready to the remotehost at the time of the failure, then the non-synchronized secondary(R2) volume will remain not ready. Regardless of the state of the "syncrequired" attribute, if the secondary (R2) volume were synchronized withthe primary (R1) volume and not ready to the remote host at the time ofthe failure, then the secondary (R2) volume will assume the specifiedchange of state (read-only or read/write enabled).

Secondary (R2) volumes configured as read-only with the "sync required"attribute enabled can work in their read-only state with the remote hostregardless of their synchronization state with the primary (R1) volumes.If an attempt is made to change the state of a secondary (R2) volume toread/write enabled and the secondary (R2) volume is synchronized withthe primary (R1) volume at the time of the failure, the state changeoccurs. If the secondary (R2) volume was not synchronized with theprimary (R1) volume, then the state change does not occur and the datastorage system reports the non-synchronous state to the remote host.

Turning now to FIG. 10, there is shown a flowchart of the control logicin a channel adapter for restricting the ability of a host to access asecondary (R2) volume in the fashion described immediately above. In afirst step 440, execution continues to step 441 if remote mirroring tothe secondary (R2) volume has been suspended. When remote mirroring tothe secondary (R2) volume has been suspended, writes to the secondary(R2) volume are not accepted from the data storage system containing thecorresponding primary (R1) volume. In step 441, execution branches tostep 442 if the "sync required" attribute is set for the secondary (R2)volume. In step 442, the requested state change is performed. If the"sync required" attribute is not set for the secondary (R2) volume, thenexecution continues from step 441 to step 443. In step 443 executionbranches to step 442 if the secondary volume (R2) is synchronized withits corresponding primary volume (R1). In other words, executionbranches from step 443 to step 442 if the "invalid tracks" count for thesecondary volume is zero. If the secondary (R2) volume is notsynchronized with its corresponding primary volume (R1), then executioncontinues from step 443 to step 444. In step 444, execution branches tostep 445 if the host is requesting a state change to a read-write state.If so, then in step 445 the state of the secondary (R2) volume is set to"not ready" and the channel adapter reports to the host that thesecondary (R2) volume is "not ready." If in step 444 the host was notrequesting a state change to read-write, then execution continues fromstep 444 to step 442 to perform the state change to either "not ready"or read-only, as requested by the host.

If in step 440 remote mirroring was not found to be suspended to thesecondary (R2) volume, then execution branches to step 444 in order toprevent any state change to read-write. However, a state change toread-only or "not ready" is permitted when remote mirroring to thesecondary (R2) volume is occurring.

After the state of the secondary volume is set in steps 442 or 445,execution returns.

I. Recovery

In the preferred implementation of remote mirroring, a number ofdifferent recovery procedures are available to respond to various deviceand system failures or outages. The recovery procedure that is usedshould depend on the kind of failure or outage, the degree of host oruser involvement that is deemed necessary or appropriate, the type ofdatasets or applications that could be affected, and the desired degreeof data integrity.

In general, a recovery operation is performed if either all links areinoperative, a primary volume is inaccessible, or a secondary volumes isinaccessible. If only some of the link paths are inoperative, the remotemirroring operations may continue on the remaining link paths. If all ofthe links are inoperative, then either an application may continuewithout mirroring new write data, or an application may be interrupteduntil at least one link is restored. If a primary volume isinaccessible, its secondary volume can be accessed, and the primaryvolume can be recovered by copying from its respective secondary volume.If a secondary volume is inaccessible, it can be recovered by copyingfrom its primary volume. However, these typical scenarios can becomemore complicated if a second failure affecting a mirrored volume pairoccurs before the completion of recovery from the first failure.Therefore, in the preferred implementation of remote mirroring, a numberof different recovery methods are provided, as will be described below.

When the user is involved in recovery, the user may access the datastorage system service processor to obtain the status of remotelymirrored volumes and then move control between the data storage systemsduring the disaster recovery process. The host remote mirroring softwaremay also be accessed by the user or a host application in order toobtain status and directly control disaster recovery.

(1) Data Loss

The remote mirroring mode at the time of a storage system failure oroutage will determine the minimal amount of data loss when recovery isfinished.

In the synchronous operational mode, no data need be lost in the eventof a disaster. The data storage system aborts the input/output currentlyin progress, but does not acknowledge this action to the host. This datais not considered lost.

In the semi-synchronous mode, the minimal amount of data lost depends orthe number of transactions enroute to the secondary volumes when adisaster occurs. If only the host central processing units or powerattached to the data storage system containing primary (R1) volumes arelost, no data loss occurs. If the entire site is lost, including alllink paths, all transactions enroute are lost. In a worst case scenario,one input/output per volume will be lost.

In the adaptive copy modes, the worst case scenario is loss of an entiredata storage system containing primary (R1) volumes. All write datapending transmission to the remote data storage system is lost.

(2) Automatic Recovery from Disk Drive Failure

In most cases, an automatic recovery mode is suitable for recoveringfrom a disk drive failure. A user or host application, however, may wishto ensure that an application is always interrupted immediately in caseof a disk drive failure, for example, in order to maintain primary andsecondary volumes that are always in synchronization. In this case, avolume domino mode should be used, as further described below.

In the automatic mode, if the data is not available in cache during aread operation, then the data storage system reads the data from theprimary (R1) volume. If a data check occurs on this device, the datastorage system automatically reads the data from the secondary volume.Should one volume in the remote mirrored pair fail, the data storagesystem automatically uses the other volume without interruption. Thedata storage system notifies the host with an "environmental datapresent" error, and notifies a customer support center of the datastorage system manufacturer with an error code designating that theprimary or secondary volume has failed. No user intervention isrequired. When the defective disk device is replaced, the data storagesystem re-synchronizes the mirrored pair, automatically copying data tothe new disk. In a similar fashion, when an outage occurs, e.g., toperform maintenance activity on a remotely mirrored volume For anextended period of time, the primary (R1) volume tracks all updates toits secondary (R2) volume and copies the updated tracks to the othervolume when the remotely mirrored pair is re-established. The time ittakes to resynchronize the mirrored pair depends on the link pathactivity, input/output activity to the volume, and the disk capacity.

(3) Automatic Recovery for Adaptive Copy--Write Pending

Should disk storage containing the primary (R1) volume fail, the datastorage system having the primary (R1) volume temporarily suspends theadaptive copy--write pending mode, destages all write pendings for thesecondary (R2) volume at the highest priority, and continuesinput/output operations with the secondary (R2) volume. When the primary(R1) volume is replaced, the data storage system resynchronizes theremotely mirrored pair and re-enables the adaptive copy--write pendingmode. No data is lost because the data storage system containing theprimary (R1) volume always retains the data in its cache until it candestage the data to the disk storage for the primary (R1) volume.

Should a secondary (R2) volume fail, the data storage system containingthe primary volume (R1) continues to mark new write data as writependings to invalid tracks in the secondary (R1) volume until thesecondary (R2) volume can be replaced. When the defective device isreplaced, the data storage system resynchronizes the remotely mirroredpair and re-enables the adaptive copy--write pending mode.

(4) Automatic Recovery for Adaptive Copy--Disk

Should a primary (R1) volume fail, all data not already written to thesecondary (R2) volume is lost. When the primary (R1) volume is replaced,the data storage system containing the primary volume R1) resynchronizesthe remotely mirrored volume pair and re-enables the adaptive copy--diskmode.

Should a secondary (R2) volume fail, the data storage system containingthe primary (R1) volume marks all pending writes and any new data asinvalid tracks until the secondary (R2) volume can be replaced. When thedefective device is replaced, the data storage system resynchronizes theremotely mirrored pair and re-enables the adaptive copy--disk mode.

(5) Dynamic Sparing Option

A dynamic sparing option for remote mirroring reserves disk drives asstandby spares for primary (R1) volumes, secondary (R2) volumes, or bothtypes of volumes. These standby spares are not user-addressable. Thedynamic sparing option, when enabled, determines when a primary (R1) orsecondary (R2) volume is about to fail and copies the contents (allvolumes) of the disk drive on which that volume resides to an availablespare (designated for that type of volume) without any interruption inprocessing. The data storage system notifies the host of this event withan "environmental data present" error, and also notifies the customersupport center of the storage system manufacturer so that physicalreplacement of the failing disk drive can be scheduled. The data storagesystem uses the spare until the disk drive on which the original logicalvolume resided can be replaced. The dynamic sparing option maintainsdata availability without impacting performance.

The dynamic sparing option is most easily implemented when it isrestricted to physical disk drives that have all primary (R1) volumes orall secondary (R2) volumes. Also, for a physical disk drive having allsecondary (R2) volumes, the implementation of dynamic sparing is mosteasily implemented if the corresponding primary (R1) volumes do notreside on multiple data storage systems in the data processing system.

When the dynamic sparing option has been enabled during configurationand the data storage system determines during operation from errorstatistics or reporting that a drive failure is possible or a drive hasbecome totally unavailable, the data storage system looks for anavailable dynamic spare disk drive that can be substituted for thefailing or failed disk drive. The storage system dynamically copies alldata from the "good" disk drive in the remote pair across the links tothe available spare. The data Storage system continues to process hostinput/output requests at the highest priority while this copy operationtakes place to minimize the effect on performance. When the copyoperation completes, the data storage system notifies the host and thecustomer support center of the event.

When the failing or failed disk drive is physically replaced, the datastorage system makes the volume(s) on the new disk drive ready, disablesthe spare, and dynamically copies the contents of the other volume inthe remotely mirrored pair to the new disk drive. The data storagesystem returns the spare to its pool, making it available if anotherremotely mirrored volume (primary (R1) or secondary (R2)) fails in thefuture.

In summary the dynamic sparing option increases protection of allremotely mirrored volumes from loss of data, automatically activates thespare volume without interruption prior to loss of access of apotentially failing volume, ensures that the contents of the spare areidentical to the contents of the original, and resynchronizes a new diskdrive with the dynamic spare after replacement or repair of thedefective disk drive is complete. The dynamic sparing is transparent tothe host and requires no user intervention.

(6) Link Failure

Normally at least two link paths exist between two remotely mirroreddata storage systems. Should a link path fail, communication continuesuninterrupted on the remaining link path. The data storage system sendsan error message to the local host identifying the failed link path. TheData Switch Model 9800 MAX, when used in the link paths, has aconfiguration option that automatically switches link paths when itdetects a T3 circuit failure. In order to report link path failures tothe host, this configuration option should be disabled.

If all link paths fail between the data storage systems, no data can bewritten to the secondary (R2) volumes in either data storage system. Inan automatic link recovery mode, which is a default configuration,writes from the local host continue to the primary (R1) volumes. Allupdated tracks are marked so that when the link paths are restored, thedata storage system will begin transferring the marked data to thesecondary (R2) volumes. In the adaptive copy--write pending mode, alldata for the secondary (R2) Volume(s) accumulates as invalid tracks inthe cache of the data storage system containing the primary (R1)volume(s). In the adaptive copy--disk mode, all data for the secondary(R2) volume(s) accumulates as invalid tracks in disk storage of the datastorage system containing the primary (R1) volume(s). In a dominorecovery mode, however, the primary volumes become "not ready" to thelocal host whenever all links fail, in order to maintain synchronizationbetween data storage systems.

(7) Domino Modes

There are two domino modes. The first is a volume domino mode, that canb defined for individual mirrored volume pairs, a range of mirroredvolume pairs, or all mirrored volume pairs. The second is an "all links"domino mode, applicable to all mirrored volume pairs.

The default state for a primary volume is the ready state. If theprimary (R1) volume fails, the host will continue to see that volume as"ready", and all reads and/or writes will continue uninterrupted withthe secondary (R2) volume in that remotely mirrored pair. However, adomino mode can make the primary volume "not really."

(8) Volume Domino Mode

When enabled for a mirrored volume pair, this mode causes the primary(R1) and secondary (R2) volumes to become not ready to a host if eitherone of the primary (R1) and secondary (R2) volumes become inaccessiblefor remote mirroring, for example, due to a disk drive failure or an"all links" failure preventing data transfer between the primary (R1)and secondary volumes (R2). The data storage system responds"intervention required/unit not ready" to a host on all accesses to the"not ready" volume.

To resume remote mirroring after the fault has been corrected, theprimary (R1) volume must be made ready again by manual entry of commandsto the service processor of the data storage system, or by commands tothe host remote mirroring software. If, however, the primary (R1) orsecondary (R2) volume or the links remain down, the primary (R1) volumewill immediately become not ready again until the cause of the failureis resolved. If the cause of the failure is resolved and the primary(R1) volume is made ready again, the data storage system containing theprimary (R1) volume renotifies its local host that the volume is againready and brings it online.

The volume domino mode can be enabled together with the synchronous modeenabled and adaptive copy modes disabled to guarantee synchronizationbetween primary (R1) and secondary (R2) volumes in a mirrored volumepair. This combination offers the greatest protection from the "rollingdisaster" scenario described above.

(9) All-Links Domino Mode

When enabled, this mode causes all primary (R1) and secondary (R2)volumes to become not ready if all links fail. When at least one link isreestablished, the primary (R1) volumes must be made ready again bymanual entry of commands to the service processor of the data storagesystem, or by commands to the host remote mirroring software. If,however, the all links remain down, the primary (R1) volumes willimmediately become not ready again until a link is established. Once alink is established and the primary (R1) volumes are made ready again,the data storage system containing the primary (R1) volumes renotifiesits local host that the primary (R1) volumes are again ready and bringsthem online.

The all-links domino mode is particularly useful for a cluster of hostprocessors in an open systems environment that uses the link between theprocessors for sharing data. For example, the shared data would bewritten by a local host to a primary (R1) volume, transmitted over thelink to a secondary (R2) volume, and read by a remote host havingread-only access to the secondary (R2) volume. In this situation, it maybe desirable to interrupt the application when there is no longer alink. Setting the volumes to a volume domino mode might be toorestrictive in this situation, because the shared data could still bewritten across the link to the secondary (R2) volume even if thecorresponding primary volume (R1) would be unavailable.

(10) Channel Adapter Control Logic for Domino Modes

Turning now to FIG. 11, there is shown a flowchart of channel adaptercontrol logic for implementing the domino modes when remote mirroring isenabled. In a first step 451, execution branches to step 452 when therehas been a simultaneous failure of all links, preventing the remotemirroring or access of data. In step 452, execution branches to step 453if the data storage system containing the channel adapter is in theall-links domino mode. In step 453, the channel adapter presents an"intervention required" signal to the host presently connected to thechannel adapter.

The "intervention required" signal is processed by the operating systemof the host. For example, the host operating system displays an errormessage to the system operator, so that the system operator may performa manual recovery operation using the host remote mirroring software, asfurther described below. The host operating system may also checkwhether the channel adapter was servicing an application program at thetime of the "intervention required" signal, and if so, then the hostoperating system checks whether the application program has defined anerror handling interrupt routine. If the host operating system finds anerror handling interrupt routine for the application then the hostoperating system invokes the error handling interrupt routine. Theoptional error handling interrupt routine may prevent the applicationfrom performing further database activity requiring critical databasebackup, and may save application information useful for a recoveryoperation.

If step 451 finds that all links have not failed simultaneously, or ifstep 452 finds that the data storage system is not in the "all-links"domino mode, then execution continues in step 454. In step 454,execution branches to step 455 if there is a failure to complete a writeoperation to both the primary (R1) and secondary (R2) volumes of amirrored volume pair. In this situation, it is not possible to completea write operation to the primary (R1) volume or secondary (R2) volumewithout maintaining synchronization between these volumes. In step 455,execution branches to step 453 if the data storage system is in the"volume domino mode" for the remotely mirrored volume pair. If the datastorage system is not in the "volume domino mode" for the remotelymirrored pair, then execution continues to step 456. In step 456,execution branches to step 453 if neither the primary volume (R1) northe secondary volume (R2) are accessible, because in this case, thewrite operation has not been completed to either volume. If one of theprimary (R1) or secondary (R2) volumes is accessible, then in step 457the write operation is completed with the accessible volume.

If step 454 found that there was not a failure to complete a writeoperation to both the primary (R1) and secondary (R2) volumes, thenexecution continues to step 458. In step 458, execution branches to step455 if there was a failure to read a primary (R1) volume. Although afailure to read a primary volume will not in and of itself cause a lossof synchronization between the primary (R1) and secondary (R2) volumesof a remotely mirrored volume pair, such a loss could occur, or becomemore pronounced, by the time of a following write operation. Therefore,execution branches to step 455 so that if the volume domino mode is notenabled for the primary (R1) volume, then an "intervention required"signal will be presented to the host in step 453 to begin a recoveryoperation as soon as possible. If, however, the domino mode is notenabled for the primary (R1) volume, and its Corresponding secondary(R2) is found to be accessible in step 456, then in step 457 the readoperation is completed by reading the secondary (R2) volume.

If step 458 found that there was not a failure to read the primary (R1)volume, then execution continues to step 459. In step 459, executionbranches to step 455 if there was a failure to read a secondary (R2)volume. In other words, the secondary (R2) volume was in its read-onlystate but the read failed, so that the secondary volume would also beunavailable for a write operation during remote mirroring. Again, such afailure to read a the secondary volume will not in and of itself cause aloss of synchronization between the primary (R1) and secondary (R2)volumes of a remotely mirrored volume pair, but such a loss could occur,or becomes more pronounced, by the time of a following write operation.Therefore, execution branches to step 455 so that if the volume dominomode is not enabled for the primary (R1) volume, then an "interventionrequired" signal will be presented to the host in step 453 to begin arecovery operation as soon as possible. If, however, the domino mode isnot enabled for the secondary (R1) volume, and its corresponding primary(R2) is found to be accessible in step 456, then in step 457 the readoperation is completed by reading the primary (R1) volume.

(10) Host Failure

If only the CPU(s) at the site are lost, no data loss occurs in anyremote mirroring operational mode for data already in cache at the datastorage system. The data storage system containing the primary (R1)volume transfers any pending write operations to the data storage systemcontaining the secondary (R2) volume without interruption.

(11) System-Based Recovery from the Site Failure

When a disaster at a local site renders all equipment non-operational,all link paths between the local data storage system and a remotemirrored data storage system fail. Secondary (R2) volumes cannot beupdated and no data can be written to primary (R1) volumes on the datastorage system at the local site, although writes can continue toprimary (R1) volumes on the data storage system at the remote site. Theremote data storage system marks all updated tracks on the primary (R1)volumes so that when the link paths are restored, the two data storagesystems automatically resynchronize.

When the data storage system at the local site is ready to be broughtback online, recovery can be performed by setting all channel interfacesto online, and powering-up the local data storage system. The local andremote data storage systems begin synchronizing. When the linkssynchronize, the primary (R1) volumes begin transferring data to thesecondary (R2) volumes. The length of time it takes to resynchronize afull volume depends on the level of activity on the links, the level ofactivity on the data storage systems, the number of updated tracks(i.e., write pendings or invalid tracks) that need to be copied, linkdistances between data storage systems, and the size of the volume. Theprimary (R1) volumes must be in the enabled state for resynchronizationto occur. The data storage system sends an operator message to its hostwhen a volume has resynchronized.

(12) Application-Based Recovery

System-based recovery from a total failure of a primary (R1) volumemight not be successful due to the "rolling disaster" scenario. Thereare, however, application-based recovery techniques that can adapted forrecovery in the "rolling disaster" scenario.

One well-known application-based recovery technique, used extensively intransaction processing systems, is to maintain a log file of all writes("before" or "after" images) to a data file. To ensure recovery, data isalways written to the log file before it is written to the data file.The log file may contain a number of different versions of data writtento the same location or track in the dataset. At any given time,however, the data file contains only one version of the data at anygiven location or track. If the dataset volume were to becomeinaccessible, then recovery would consist of (1) restoring the mostrecent image copy of the data, and (2) applying all logs to that data,thus making the data current. If the log file volume were to becomeinaccessible, then recovery would consist of (1) allocating a new logfile, and (2) taking a current copy of the image data.

In a preferred implementation, as shown in FIG. 12, the application 291maintains the log file on a remotely mirrored volume pair 291, 293 andthe data file 292, 294 on a remotely mirrored volume pair 295, 296 inthe data processing system 210. The degree of synchronization betweenthe primary volumes 295 and secondary volumes 296 is selected toguarantee that new data is written to the secondary (R2) log file 293before the new data is written to the secondary (R2) data file 294.Therefore, the "rolling disaster" scenario is avoided.

The synchronous or semi-synchronous modes, without adaptive copy, willguarantee that data is written to the secondary (R2) copies of the logfile 293 and the data file 294 in the same order that the host writesdata to the primary (R1) copies 291, 292. Therefore, use of thesynchronous or semi-synchronous modes, without adaptive copy, wouldguarantee that new data is written to the secondary (R2) copy of the logfile 293 before the new data is written to the secondary (R2) copy ofthe data file. However, a less restrictive method is for the applicationto synchronize the secondary (R2) log file volume 293 just before eachtransmission of new log file data from the application to the primarydata storage system, and to synchronize the secondary (R2) data filevolume just before each transmission of the new data file updates fromthe application to the primary data storage system 214. This lessrestrictive method ensures that cache overwrite cannot disrupt thesequencing of the log and data file updates in the FIFO linktransmission queue.

Turning now to FIG. 13, there is shown an example of a recoveryprocedure for the system of FIG. 12. If there is a primary systemfailure such as a complete destruction of the primary data storagesystem 214, then in the first step 641, the host operating systeminterrupts the application 292, and the application initiates anapplication-based recovery program to recover from the secondary (R2)copies of the log file 293 and the data file 294. In step 643, theapplication inspects time stamps, sequence markers, or beginning/end offile markers in the secondary (R2) copies of the files 293, 294 todetermine which one of the two files was last written to. The file lastwritten to can be assumed to be corrupted. If the log file 293 werecorrupted, then in step 645 it is discarded and a new secondary (R2) logfile is allocated, because the secondary (R2) data file 294 is intact.If the log file 293 were not corrupted, then in step 644 the log file293 is used to recover the data file 294 by applying to the data filethe changes recorded in the log file.

If in step E, 41 the primary data storage system 214 has not failed,then in step 646, execution branches to step 647 if a primary (R1)volume 295 has failed. In this case, the primary data storage system 214performs automatic recovery in step 647 by copying the secondary (R2)volume 296 to the primary (R1) volume.

If in step 646 a primary (R1) volume 295 has not failed, then in step646, execution branches to step 649 if the secondary (R2) volume 296 hasfailed. In this case, the primary data storage system 214 performsautomatic recovery in step 649 by copying the primary (R1) volume 295 tothe secondary (R2) volume 296, to restore the secondary (R2) volume 296.

If all links are lost between the primary and secondary data storagesystems 214, 246, then processing with the primary (R1) file copies canbe suspended until a link is re-established. When the link isre-established, the secondary (R2) file copies can be restored bytransferring the pending secondary write data over the link. If theentire data storage system containing the primary (R1) copies isdestroyed during the transfer, then it is still possible to recover inthe fashion described immediately above for recovering from thedestruction of the data processing system having the primary (R1)copies. In other words, the secondary copies of the files are inspected,and the file last written is assumed to be corrupted. If the log filewere corrupted, then it can be discarded or re-used, because the datafile copy is intact. If the log file were not corrupted, then it can beused to recover the data file by applying to the data file the changesrecorded in the log file. This recovery technique still works because inthe interrupted transfer of the pending secondary write data over thelink, the changes to the secondary (R2) copy of the data file are alwayswritten to the secondary (R2) copy of the log file before they arewritten to the secondary (R2) copy of the data file.

If all links are lost between the remotely mirrored data storagesystems, as tested in step 650, then processing with the primary (R1)file copies can continue in step 651. To avoid the "rolling disaster"scenario, however, the secondary (R2) file copies should not be restoredwhen the link is reestablished in step 652 by transferring secondarywrite pendings generated since all of the links were lost as in step654, unless it can be guaranteed, as tested in step 653, that thechanges to the secondary (R2) copy of the data file are always writtento the secondary (R2) copy of the log file before they are written tothe secondary (R2) copy of the data file. If processing with the primary(R1) file copies has continued for any substantial length of time, thenit cannot be guaranteed that all updates can be transferred to thesecondary (R2) log file before the secondary (R2) data file. Therefore,in this case, execution branches to step 655. In step 655, the secondary(R2) log and data files 293, 294 are saved by configuring them as localcopies. Next, in step 656 new, initially empty secondary (R2) files areconfigured corresponding to the primary (R1) files, and remote mirroringis enabled to copy the primary (R1) log and data files 291, 292 to thenew secondary (R2) files. This is an example of a data migrationoperation upon an active volume, which can be done as described below.Once the new secondary (R2) files have been sufficiently synchronizedwith the primary files to guarantee that new data is written to the newsecondary (R2) log file before the new data is written to the newsecondary (R2) data file, recovery has been completed and normalprocessing may continue. The old, now local secondary file copies can bediscarded. However, as tested in step 657, the data storage systemcontaining the primary files could be destroyed during the migrationprocess before recovery has been completed with the new secondary (R2)files. In this case, in step 658, the new secondary (R2) files arediscarded and the old, saved secondary (R2) log and data files arerestored to their secondary status, and used by the application-basedrecovery program in steps 643 to 645. This recovery from the old, savedsecondary files, however, will recover the state of processing existingjust before the all-inks failure.

J. Data Migration of Active Volumes

Data migration may be needed when recovering form an all-links failureafter continued processing upon a primary (R1) volume, as describedabove. Data migration may also occur during the initial installation ofa remote data storage system for remote mirroring to an active datastorage system. Data migration may also occur when a data center or hostprocessor is moved from a local site to a remote site. In all of thesecases, it is desirable to minimize the disruption of data processingactivities during the migration of data from an active primary (R1)volume to a secondary (R2) volume. The conventional way of performing adata migration to a remotely mirrored volume is to suspend processing onthe primary volume, copy its contents to the remotely mirrored volume,and then resume processing on the primary or secondary volume.

One advantage of performing data processing activities in a remotelymirrored system as shown in FIGS. 1 or 4 is that a host centralprocessing unit can easily be moved from a local site to a remote site.Processing can be quickly switched over from the local site to theremote site so long as the primary and secondary volumes aresynchronized at the time of the switch.

A data migration can be performed upon an active volume, with minimaldisruption of data processing, by following an iterative technique shownin the flowchart of FIG. 14. This flowchart represents steps in anactive migration task run on the data storage system containing theprimary (R1) volume to be migrated. The active migration task, forexample, is activated by a system operator using the host remotemirroring software.

In the first step 471 of FIG. 14, the active volume is configured as aprimary (R1) volume, and a new, initially invalid or empty volume isconfigured as the corresponding secondary (R2) volume to which data fromthe primary (R1) volume is to be migrated. Next, in step 472, half of abitmap array BITMAP(SWITCH) is cleared.

The bitmap array is located in the cache memory of the data storagesystem containing the primary (R1) volume. The bitmap array has twohalves, each of which contains a bit for each track in the volume. Eachbit is initially cleared, and each bit is initially set when thecorresponding track is updated by new data for the track being writteninto the cache memory. SWITCH is a flag enabling one or the other of thehalves of the bitmap array to receive the changed track identifications.In particular, channel adapter microcode for a host servicing task setsa particular bit in the bitmap by using a base address register that isset with either a first pointer value pointing to the first half of thebitmap array, or a second pointer value that points to the second halfof the bitmap array. The logical value of the switch flag determineswhether the first pointer value or the second pointer value is used inthe base address register for addressing either the first half or thesecond half of the bitmap array. The migration task can, in a single"atomic" operation, switch the pointer value used by the channel adapterhost servicing task. Therefore, the host processing need not besuspended to perform the switching operation.

In step 473, the migration task enables the changed track identificationfeature of the host servicing task of the channel adapter microcode sothat indications of tracks being changed are written in the half of thebitmap array that was cleared in step 472. Next, in step 474, themigration task copies all of the tracks of the primary (R1) volume tothe secondary (R2) volume. Once this copying is finished, then in step475, the migration task clears the other half of the bitmap array notpresently selected by the switch for recording changed trackindications. Next, in step 476, the migration task inverts the switch(i.e., complements its binary state) to begin recording changed trackidentifications in the portion of the bitmap array that was cleared instep 175. Then, in step 477, the migration task copies the changedtracks of the primary (R1) volume, as indicated by the portion of thebitmap array not cleared in step 475, to the secondary (R2) volume, andthe migration task also counts the number of copied tracks. Once all ofthe indicated changed tracks are copied, execution continues to step478.

In step 478, the migration task displays to the system operator thetotal number of copied tracks that were counted in step 477. This numberindicates the rate of convergence, so that the operator will have anidea as to when the migration of the active volume will be finished. Instep 479 the total number of copied tracks that were counted in step 477is compared to a threshold. This threshold determines the number oftracks that must be copied while host processing is inhibited. Thegreater the threshold, however, the more quickly the active volume canbe migrated. Therefore, the threshold should be set for about thelongest tolerable duration of suspended host access to the data storagesystem. If step 479 finds that the total number of copied tracks thatwere counted in step 477 is greater than the threshold, then executionbranches back to step 475 to begin another iteratior. Otherwise,execution continues to step 480 of FIG. 15.

In step 480 of FIG. 15, the migration task suspends host processing withthe primary (R1) volume. Then, in step 481, the migration task copiesthe changed tracks of the primary (R1) volume, as indicated in the halfof the bitmap that was cleared in step 475, to the secondary (R2)volume. Once this copying is done, the migration task is finished. Theprimary (R1) and the secondary (R2) volumes are in sync, and theycontain the same data. Host processing may then resume by accessing theprimary (R1) volume and remotely mirroring data to the secondary volume.Alternatively, before resuming host processing, the linked data storagesystems could be reconfigured to reverse the roles of the primary (R1)and the secondary (R2) volumes, so that the host would directly accesswhat was the secondary (R2) volume.

The migration technique of FIGS. 14-15 usually achieves rapidconvergence toward synchronization of the primary (R1) and secondary(R2) volumes because during the copying of all of the tracks of theprimary (R1) volume in step 474, a majority of the tracks will not havebeen changed. Since fewer tracks need to be copied in the next step 477,the time for a single iteration successively decreases. In any case,convergence can be guaranteed by increasing the priority of themigration task relative to the host servicing task in order to allocatemore data storage system processing time to the migration task than tothe host servicing task.

The basic migration technique of FIGS. 14-15 can be adapted to use theremote invalid track bits (124 in FIG. 3) and remote write pending trackbits (106 in FIG. 3) in the track directory, instead of the bitmap arraydescribed above. In this case, it is desirable to also use similarchannel adapter logic for both migration and remote mirroring.

Turning now to FIG. 16, there is shown control logic for the channeladapter in managing the remote write pending and remote invalid trackbits during the processing of a write operation. If the write is not toa primary volume, as tested in step 601, then execution branches to step606, and the states of the remote write pending and remote invalid trackbits are unaffected. Otherwise, in step 602 the remote write pending bitis set for the track being written to. Then in step 603, executionbranches to step 606 if the remote invalid bit for the track is alreadyset. Otherwise, in step 604, the remote invalid bit for the track isset, and in step 605, the remote invalid track count for the volume isincremented. Then, in step 606, the data is written to the track in thevolume.

Turning now to FIG. 17, there is shown a flowchart of the migration taskthat uses the remote invalid track bits, the remote write pending bits,and the remote invalid track count maintained by the channel adaptertask of FIG. 16. In the first step 611 of FIG. 17, the secondary (R2)volume to receive the migration data from a corresponding primary (R1)volume is invalidated by setting all of the remote invalid track bitsfor this volume. In step 612, the remote invalid track count for thissecondary (R2) volume is set to the number of tracks in the secondary(R2) volume.

To begin an iteration through the tracks of the remotely mirrored volumepair, in step 613 a track pointer is set to a first track in theremotely mirrored volume pair. Then in step 614 execution branches tostep 620 if the remote invalid bit is not set for the track indicated bythe track pointer. Otherwise, execution continues to step 615. In step615, the remote write pending bit for the track is cleared. Then in step616, the track is copied from the primary (R1) volume to the secondary(R2) volume.

It is possible that during step 616, the remote write pending bit mightbe set by a write to the primary (R2) volume, because host processingmay continue during the migration process. Therefore, in step 617, ifthe remote write pending bit for the track is found to be set, executioncontinues to step 620, because the copied track has been invalidated.Otherwise, execution branches to step 618 to clear the remote invalidbit for the track, and in step 619 the remote invalid track count forthe secondary (R2) volume is decremented. Execution continues to step620.

In step 620, the track pointer is inspected, and if it does not point tothe last track in the remotely mirrored volume pair, then executioncontinues to step 621 to set the track pointer to the next track in theremotely mirrored volume pair, and execution loops back to step 614.Otherwise, once an iteration is completed over all tracks in theremotely mirrored volume pair, execution branches from step 620 to step622. In step 622, the remote invalid track count is compared to zero,and if it is zero, the migration is finished because the secondary (R2)volume is synchronized to the primary (R1) volume. Otherwise, executioncontinues from step 622 to step 623. In step 623, the invalid trackcount is compared to a threshold selected to be about the largest numberof tracks that can be copied while host processing is suspended withoutcausing a serious disruption of host processing. If the threshold isexceeded, then execution loops back to step 613 to begin anotheriteration. Otherwise, execution continues to step 624 to suspend hostprocessing, and then execution loops back to step 613 for one moreiteration, which will result in the invalid track count becoming zeroand synchronization being achieved between the primary (R1) andsecondary (R2) volumes.

K. Servicing of the FIFO Link Transmission Queue

Turning now to FIG. 18, some components in FIG. 4 are shown in order todepict data structures in the cache 228. These data structures includethe volume and track tables 501, logical tracks of data 502, aleast-recently used (LRU) queue 503, the FIFO link transmission queue504, and a link buffer 505.

Elements of the volume and track tables 501 have been shown anddescribed above with reference to FIGS. 3 and 4. The volume and tracktables serve as an index to the logical tracks of data in the cache andstored on disk. The volume and track tables include informationidentifying the location of each logical track on disk; whether thetrack image is currently in the cache and if so where; some demographicdata such as dates and time stamps about the logical tracks; whether thetrack image is synchronized with an internal or remote copies; andwhether a particular record on the logical track has been modified andis pending a write to disk or to a remote copy.

Blocks of cache memory are dynamically allocated when needed to storethe logical tracks of data 502. The least-recently-used (LRU) queue 503contains pointers to cache blocks that are available to be allocated.When a cache block is needed, the pointer at the head of the LRU queue503 identifies the cache block that should be allocated. If the cacheblock is needed for a read operation, the pointer is placed at the tailof the LRU queue 503. If the cache block is needed for a writeoperation, the pointer is taken off the LRU queue 503, and is put backon the LRU queue only when a writeback operation to disk has beencompleted. The pointer is also kept off the LRU queue 503 for remotewrite pending in the synchronous, semi-synchronous, and adaptivecopy--write pending mode in order to retain the remote write pendingdata in cache.

The FIFO link transmission queue 504 was described above with referenceto step 415 of FIG. 8. In the preferred implementation, this link queue504 is used in connection with the link buffer 505 in order to prepareinformation for transmitting commands and data over the link 240 fromthe link adapter 236 to tile remote or secondary data storage system 246in FIG. 18. The commands transmitted over the link 240 include a writecommand for a remote write to a secondary (R2) volume in the secondarydata storage system 246, and a read command for reading data from asecondary volume (R2) in the secondary data storage system. Each commandtherefore accesses a single volume. The link queue 504 contains arespective entry for each command that is transmitted over the link 240.Each entry is placed in the link queue 504 by a channel adapter involvedin a remote read or write operation, and removed from the link queue bya link adapter that transmits the corresponding command over a remotelink to the secondary storage system 246.

In practice, the host 212 communicates with the channel adapter 226 bysending chains of channel command words (CCW's). Each chain of channelcommand words define operations to perform with respect to a singlelogical volume. The chain defines a single input/output operation. Theresults of all channel command words of this single input/outputoperation are to be committed before commitment of the results of anyfollowing CCW's. Once the host processor sends the entire chain to thechannel adapter, it need not poll for a response; instead, the hosttypically continues with other operations, and is interrupted when thechannel adapter responds with a device end (DE) signal indicating thatthe results of the last CCW in the chain have been committed.

If the CCW chain consisted of a single write command from the host 212to the channel adapter 226 in FIG. 18, then the CCW chain would beprocessed in the following sequence. First, the channel adapter 226 putsthe write data in a specified logical track of data 502 in the cache.Then, for an IBM compatible host 212, the channel adapter "disconnects"from the host. (Disconnect is a term used by IBM to describe theprotocol followed by an IBM host writing data in CKD or ECKD format.)The channel adapter 226 also recognizes that the specified logical trackis in a remotely mirrored volume pair, and therefore the channel adapterinserts an entry into the link queue, pointing to a location in the linkbuffer 505, and puts into the link buffer pointers to the write data inthe cache. Then, the link adapter 236 services the link queue 504 bytransferring the write data across the link 240. Finally, when the linkadapter 236 receives an acknowledgement of the remote write from thesecondary data storage system 246, the link adapter signals the channeladapter 226, and the channel adapter "reconnects" with the host 212 andreturns a device end (DE) signal to the host.

In the preferred implementation, the entry in the link queue 504includes a one-byte password for confirming the validity of the entry, alogical volume number specifying the secondary (R2) volume, a numberidentifying the channel adapter that created the entry, a pointer to astarting location in the link buffer 505 for additional information forthe command to be sent to the secondary storage system containing thespecified secondary (R2) volume, and lock information by which aparticular channel adapter or link adapter can obtain exclusive accessto the entry. The lock information ensures that only a single channeladapter loads the entry, and a single link adapter uses the entry togenerate a command sent over a link to the secondary data storagesystem. The link buffer 505 is used in addition to the queue 504 inorder to store efficiently a variable amount of information forproducing each command sent over a link to the secondary storage system246.

In the preferred implementation, each write command sent over a link tothe secondary storage system 246 may include write data from multiplechannel command words. Moreover, it is very desirable to "bundle" thewrite data for all write commands in the channel command word chain intoa single write command transmitted over a link to the secondary storagesystem 246. The channel adapter 226 must therefore decode the channelcommand words to an extent necessary to determine when it receives thelast channel command word in the chain. This decoding process isdependent on the syntax of the channel command words. A conventionalfixed-block addressing (FBA) syntax, for example, has a "beginning ofchain" channel command with the format START BLOCK, COUNT where COUNT isthe number of following command words in the chain. The IBMcount-key-data (CKD) syntax has a similar DEFINE EXTENT command, whichdefines a number of following channel command words included in thechain, although this is not the exclusive method used to indicate theextent of the chain in the IBM CKD syntax. Alternatively, the syntaxcould use an "end of chain" command. One particular IBM ESCON syntaxuses a flag in every channel command word to indicate whether or not theword is the last word in its chain.

IBM CKD channel command words have a syntax described, for example, inN. S. Prasad, "IBM Mainframes: Architecture and Design," McGraw-HillBook Company, New York, N.Y., 1989, Section 3.4, Input/OutputArchitecture, pp. 58-73, incorporated herein by reference, and "The IBM3990 Storage Control Reference," No. GA32-0099-04, InternationalBusiness Machines Corporation, Tucson, Ariz., 1991, pp. 1-304,incorporated herein by reference. In general, the IBM CKD channelcommands are in effect program instructions, and IBM Corp. refers to astring of channel command words as a "channel program." On pages 61 to63, for example, N. S. Prasad, "IBM Mainframes: Architecture andDesign," says: "A channel program consists of one or more ChannelCommand Words (CCWs). Each CCW occupies a doubleword location instorage. The CCWs have consecutive addresses. The channel fetches a CCW,decodes it, and executes it. Execution consists of passing the CCW tothe control unit and device for performing the required operation. Afterthe required operation is performed, the channel executes the CCW in thenext contiguous location, if the last CCW contains a chaining flag. Itis possible to branch to a noncontiguous CCW by using atransfer-in-channel command. By using command chaining and the TRANSFERin CHANNEL command it is possible to perform branching and loopingwithin a channel program."

For processing IBM CKD channel command words, the channel adapterdecodes and executes the channel command words, and applies the rulesset out in the above IBM references to determine when the end of thechain is reached. The channel interface in the IBM host processor alsodecodes channel command words to find the end of the chain, in order tointerrupt the host processor when the channel adapter sends back thedevice end (DE) for the last CCW in the chain. (See page 60 of N. S.Prasad, "IBM Mainframes: Architecture and Design.")

The preferred format for the information in the link buffer 505 is astring of track and record identifications and indications of where therecords are found in the cache 228. The track and recordidentifications, for example, are in the form of: "track no. p, startingat record q, n records, starting at cache address r; track no. s,starting at record t, m records, starting at cache address u; . . . ."In this example, not every record need be specified, because ranges orextents of contiguous records can be specified. Also, with this format,the track and record identifications can be built up and appended intothe link buffer 505 as write channel command words are decoded by thechannel adapter, and the data for each write channel command word isloaded into cache at the indicated starting addresses.

Each link adapter scans the link queue 504 in an iterative loop, lookingfor unlocked entries to service, beginning at the head of the queue. Thelink adapter locks the next entry to service, checks he password todetermine if the entry is valid, and if so, gets he buffer pointer fromthe entry, reads the buffer, and builds a job to be executed fortransferring data from cache across the link in a direct memory access(DMA) operation. In particular, the link adapter builds a header, andtransmits over the link the header, followed by the data, followed by acyclic redundancy check (CRC). The header, for example, contains acommand code such as a code for read or write access, link and commandstatus flags, the logical volume number of the secondary (R2) volume toaccess, and the invalid track count for the secondary (R2) volume.

Turning now to FIGS. 19 and 20, there is shown a flowchart of thecontrol logic in the channel adapter for bundling the remote writecommands included in a channel command word chain. In a first step 521of FIG. 19, the channel adapter receives a channel command word from thehost. Then in step 522, execution branches to step 523 if the channelcommand word is a write to a secondary (R2) volume in the remote datastorage system. In step 533, the channel adapter performs the actionspecified by the channel command word. Then, in step 524, executionloops back to step 521 if the End of the CCW chain has not been reached.If step 524 finds that the end of the CCW chain is reached, thenexecution continues to step 525 to send a device end (DE) signal to thehost, and execution loops back to step 521.

If step 522 finds the channel command word specifies a remote write,then execution continues to step 526. In step 526, the channel adaptergets an entry for the link queue. This entry is a free block of cachememory. Then in step 527, execution branches to step 528 if the remotewrite operation must be suspended for a synchronization mode. In thesynchronous and semi-synchronous modes, the remote write must besuspended if there is already a pending write to the secondary (R2)volume. In the adaptive copy--pending write or adaptive copy--diskmodes, the remote write must be suspended if the "invalid tracks" countfor the secondary (R2) volume has reached the skew value. After thechannel adapter task has been suspended and resumed to maintainsynchronization in step 528, or if step 527 finds that there is no needto suspend the channel adapter task for synchronization executioncontinues to step 529.

In step 529, the channel adapter puts the queue entry on the tail of thelink queue. Then in step 530, the channel adapter writes one or morerecords into cache, setting the local and remote write pending flags, aswill be further described below with reference to FIG. 22, andaccumulates in the link buffer identification and record pointerinformation for the remote write operation. Next, in step 531, executioncontinues to step 532 if the end of the CCW chain has not been reached.In step 532, the channel adapter receives the next channel command word.Then, in step 533, execution loops back to step 530 if this next channelcommand word requires a remote write operation to a remote secondary(R2) volume. If not, execution continues to step 534. In step 534, thechannel adapter performs the operation specified by the channel commandword, and execution loops back to step 531. Once the end of the chain isfound in step 531, execution branches to step 535 of FIG. 20.

In step 535 of FIG. 20, the channel adapter marks the link queue entryvalid for processing by a link adapter, and releases its lock on thelink queue entry. Execution then continues to step 536. In step 536,steps 416 to 422 of FIG. 8 are performed as described above, to send adevice end (DE) signal to the host. For all but the synchronous mode,the device end (DE) signal is sent immediately. For the synchronousmode, the device end (DE) signal is not sent until the remote write hasbeen acknowledged.

Turning now to FIG. 21, there is shown a flowchart of the control logicfor the link adapter, corresponding to the flowchart of the channeladapter in FIGS. 19 and 20. In a first step 541, the link adapter startsat the head of the link queue, and scans the entries in the queue insequence until it finds a valid, unlocked entry to process, and then thelink adapter locks the queue entry so that no other link adapter willattempt to process it. In step 542, the link adapter assemblesinformation for the header of a command to transmit over a link of thelink adapter. In step 543, the link adapter builds a transmission jobfrom the information in the link buffer.

In step 544, the link adapter checks whether the entry it is processingis at the head of the link queue, and if not, the link adapter waitsuntil the entry reaches the head of the queue. Then in step 545, thelink adapter removes the entry from the head of the link queue, marksthe status information of the header with a time stamp or sequencenumber, and executes the job to send the command over the link,including the header followed by data read from the cache in a directmemory access (DMA) operation, and a cyclic redundancy check. The timestamp or sequence number can be used by the remote data storage systemto detect link transmission problems and to write to its cache in propersequence data from commands received from various links and linkadapters despite possible delay of some commands due to link failure. Inan alternative arrangement, each link queue entry or corresponding linkbuffer entry could be marked with a time stamp or sequence number at thetime the link queue entry is inserted at the tail of the link queue, sothat step 544 could be eliminated. Moreover, in the short distanceoption configuration having a single link, time stamps or sequencenumbers would not be needed, because each command could be transmittedover the link, received, and acknowledged before the next command in thelink queue would be transmitted.

Next, in step 546, for the long-distance option, the link adapter taskfor the queue entry is suspended for a time until resumed upon receiptof a corresponding acknowledgement from the remote data storage system.When the link queue entry is suspended, a new task is begun in step 541.In the short distance option, however, it may be preferable for the taskto poll for an acknowledgement of receipt, instead of suspending thetask. In any case, if a receipt is not acknowledged within a timeoutperiod, as tested in steps 547 and 548, then in step 549 an error islogged or reported to the system operator, and in step 550 the job isre-executed to retransmit the command over the link, or ifretransmission is unsuccessful, the job is redirected to an alternativelink or alternative link adapter.

Once the link adapter receives an acknowledgement of receipt of thewrite command from the remote data storage system, execution continuesfrom step 547 to step 551. In step 551, the link adapter reports thereceipt of the acknowledgement to the channel adapter which originatedthe write command. This reporting, for example, is done by the linkadapter writing a message in a mailbox region of cache memorypreassigned to the channel adapter which originated the command.Alternatively, circuitry could be provided so that the link adaptercould directly interrupt the channel adapter.

In step 552, the link adapter de-allocates the cache memory of the linkqueue and the corresponding memory in the link buffer. The task is thendone. In the short distance option, the link adapter could continuouslyrun a single task, in which case execution would loop back from step 552to step 541.

Turning now to FIG. 22, there is shown a flowchart of a procedure thatcould be used in step 530 of FIG. 19 for writing a record to a primary(R1) volume. In the first step 561 of FIG. 22, the channel adapterchecks whether the track of the record is in cache. If not, thenexecution branches to step 562 to fetch a next cache track slot from theLRU queue (503 of FIG. 18). Then in step 563, the channel adapter checkswhether the track is on disk. If so, then execution branches to step564, and the track is copied from disk to the cache slot in cache. Ifnot, execution loops around step 564. Then in step 565, the track tablesare updated to indicate that the track now resides in the new cachetrack slot. Then in step 566, the record is written to the cache trackslot. In step 567, the local and remote write pending flags are writtenin the track tables. For example, each track has such local and remotewrite pending flags, and also each record has such local and remotewrite pending flags. Finally, in step) 568, a pointer to the record incache is accumulated in the link buffer.

If the track does reside in cache, then in step 569, execution branchesto step 570 if the channel adapter is working in an "overwrite cacheoption" for the volume. This is the fastest option for remote mirroringof data, but it contributes to the "rolling disaster" problem. In theoverwrite cache option, every single update to a record of a primaryvolume is not necessarily transmitted to the secondary volume. Instead,if the cache contains a remote write pending record that has not yetbeen transmitted by a link adapter to the data storage system having thesecondary volume, then a new version will overwrite this write pendingrecord in cache (in step 566). In the adaptive copy moles, however, theoverwrite cache option substantially increases the performance of remotemirroring of data, by reducing the number of remote pending records thatare maintained in cache or on disk.

In step 570 execution continues to step 566 if a "compress" option isnot enabled for the volume. The compress option is described below withreference to FIG. 23.

If overwrite cache option is not enabled, then execution continues fromstep 569 to step 569 to check whether there is a remote write pending tothe record in cache. If not, execution branches to step 566, since inthis case there is no possibility of an overwrite of a remote writepending record not yet transmitted over the link. If there is a remotewrite pending record, then execution branches to step 572. To avoidwriting over the remote write pending record, when step 572 finds that a"log in cache" option is not selected for the volume, then executionbranches back to step 561 to stall or suspend the writing of the newrecord until the cache slot no longer contains the remote write pendingrecord; step 561 will check that the track has not been removed fromcache during suspension of the current channel adapter task.

If the "log in cache" option is selected, then execution continues fromstep 572 to step 573. In step 573, a new cache track slot is obtainedfrom the head of the LRU queue, and in step 574 the existing remotewrite pending track is copied to the new cache track slot. Therefore,the original track in cache is still available for transmission of theoriginal remote write pending record over the link by a link adapter,and a new cache track slot for the same track is available to receivethe new version of the write pending record. Execution continues fromstep 574 to step 565, so that the track tables are updated to point tothe new cache track slot.

The "log in cache" option should be used only if the current loading onthe data storage system is very light, because the copying of data fromone cache track slot to another will tie up access to the cache. Also,keeping multiple versions of tracks in cache will tie up cacheresources, so a count of such old versions of tracks should be kept(incremented when a copy is made, and decremented when the track cacheslot is deallocated upon receipt of acknowledgement of a remote writeoperation), and no more than a (certain number of such old versionsshould be permitted in cache at any given time. The "log in cache"option, however, would permit uninterrupted host access to a primary(R1) volume in the event of an all-links failure for a short period oftime. The short period of time could be used to detect the "all links"failure, and to switch the remote links over to some spare disk drivesto create a non-volatile log of all remote writes. If a link could berestored before the spare disk drives are overloaded, then the sparedisk drives could be used to restore the secondary (R2) volumes withoutthe possibility of corruption due to the "rolling disaster" scenario.

If step 570 finds that the compress option is enabled, then executionbranches to step 575 of FIG. 23. In step 575 of FIG. 23, executionbranches back to step 566 of FIG. 22 if a remote write is not pending.Otherwise, execution continues to step 576 of FIG. 23. In step 576, thenew record is written to the track cache slot. In step 577, the localwrite pending flag is set in the track tables. Then in step 578, thetrack tables are accessed to determine whether the prior write pendingoperation is still on the link queue. For the compress option, forexample, the track table contains "on-queue" bits in addition to the"write pending" bits; the on-queue bits would be set in step 530 of FIG.19 (and in step 568 of FIG. 22 and step 579 of FIG. 23 for particularrecords) and cleared in step 545 of FIG. 21. If the prior write pendingoperation is still on-queue for the new write data, it is not necessaryto accumulate in the link buffer the pointers to the new write datasince the prior write pending pointers, still on queue, will cause thenew write data to be sent. Therefore, in this case, execution returnsfrom step 578. Otherwise, execution continues from step 578 to step 579.In step 579, the pointers to the new write data are accumulated in thelink buffer.

L. Remote Mirroring Error Messages

In a preferred implementation of the remote mirroring facility, the datastorage system reports the following environmental prior messages at theservice processor user interface, and to the host and the customerservice center:

Dynamic sparing invoked.

Dual-initiator adapter failed to reset.

Over temperature condition.

Data storage system power system alarm.

Locally mirrored drive (primary (R1) volume) is in a "not ready" state.

Locally mirrored drive (primary (R1) volume) is write disabled.

Remotely mirrored drive (secondary (R2) volume) is in a "not ready"state.

Service processor not responding.

Failed to complete an automatic call to the customer support center.

Power supply failure.

Environment cable missing.

AC line failure or interruption.

High charge state not detected within 2 minutes of power up; or, clockinconsistency found between data storage system and service processor;or, adapter inserted without power-up.

Latched alarms.

Link adapter problem/failure.

Link adapter problem/failure corrected; all links operational

M. Remote Mirroring Event Messages

In a preferred implementation of the remote mirroring facility, the datastorage system reports the following device-level events at the serviceprocessor user interface and to the host and to the customer servicecenter:

Secondary (R2) volume resynchronized with primary (R1) volume.

Primary (R1) volume resynchronized with secondary (R2) volume.

Resynchronization process has begun.

N. Remote Mirroring Status Commands

In a preferred implementation of the remote mirroring facility, theservice processor and the host remote mirroring software responds to thefollowing commands for requesting remote mirroring status:

(1) Display Configuration Status

This command displays the following status information regarding logicalvolumes configured for remote mirroring:

Volume number.

Channel number.

Number of cylinders on volume.

Mirrored Volume status.

Flags enabled for the volume:

80-primary (R1) volume

40-secondary (R2) volume

20-WR Enable (secondary (R2) volume read/write enabled)

10-Not Ready (volume "not ready" to host)

08-semi-synchronous mode of operation

04-data migration

02-Sync required

01-Domino effect

(2) Display Write Pending Tracks

This command displays the number of write pending tracks betweenremotely mirrored volume pairs. An invalid track count is displayed foreach of the primary (R1) and secondary (R2) volumes. Synchronized pairsdisplay "0" for the invalid track counts for each of the primary (R1)and secondary (R2) volumes.

(3) Display Adaptive Copy Volumes

This command displays the primary (R1) volume, the secondary (R2)volume, the adaptive copy mode (write pending or disk), and the skewvalue set for each remotely mirrored pair having adaptive copy enabled.

O. Remote Mirroring Configuration Commands

In a preferred implementation of the remote mirroring facility, theservice processor and the host remote mirroring software respond to thefollowing commands for requesting remote mirroring status:

Set the configuration of primary (R1) volumes and their correspondingsecondary (R2) volumes.

Make a specified primary (R1) volume or range of primary volumes or allprimary volumes "ready" to the remote host.

Make a specified primary (R1) volume or range of primary volumes or allprimary volumes "not ready" to the remote host.

Enable a specified secondary (R2) volume or range of secondary volumesor all secondary volumes for remote host writes.

Enable a specified secondary (R2) volume or range of secondary volumesor all secondary volumes for remote host "read only".

Make a specified secondary (R2) volume or range of secondary volumes orall secondary volumes "not ready" to the remote host.

Enable volume domino mode for a specified primary (R1) volume or rangeof primary volumes or all primary volumes.

Disable volume domino mode for a specified primary (R1) volume or rangeof primary volumes or all primary volumes.

Enable link domino mode.

Disable link domino mode.

Set the synchronous mode for a specified primary (R1) volume or range ofprimary volumes or all primary volumes.

Set the semi-synchronous mode for a specified primary (R1) volume orrange of primary volumes or all primary volumes.

Enable adaptive copy--write pending mode and set the skew rate for aspecified primary (R1) volume or range of volumes.

Enable adaptive copy--disk mode and set the skew rate for a specifiedprimary (R1) volume or range of volumes.

Disable adaptive copy for a specified primary (R1) volume or range ofvolumes.

Enable the "sync required" attribute for a specified primary (R1) volumeor range of primary volumes or all primary volumes.

Disable the "sync required" attribute for a specified primary (R1)volume or range of primary volumes or all primary volumes.

P. Host Remote Mirroring Software Features

The optional host remote mirroring (RM) software (213 in FIG. 4) enablesan operator to monitor and control remote mirroring and data migrationof the data storage system by entering commands at a host systemconsole. In particular, the operator can query the status of the driveand link relationships between remotely mirrored data storage systems,query the synchronization status of each mirrored volume pair, modifythe synchronization modes for each mirrored volume pair, and issuecommands to suspend or resume the mirroring activity for each mirroredvolume pair or an entire data storage system. The host remote mirroringsoftware commands may be integrated into automated operations or hostapplications, giving the user a robust and elegant implementation ofremote mirroring with a great deal of flexibility and control.

For all command examples below, the "#" character is used for a "commandprefix" parameter. When executing the command examples, substitute theparticular command prefix recognized by the host operating system.

(1) Sync Direction

The host remote mirroring software permits an operator or hostapplication program to initiate, inhibit, suspend, or resume remotemirroring in any specified direction between two data storage systemsconfigured for remote mirroring. (See, for example, the actions that canbe performed by the #SC VOL command described below.) When the hostremote mirroring software is loaded and initialized, parameterstatements may be included to restrict this "sync" direction that isallowed for the remote mirroring configuration, and to initialize thesync direction.

(a) Sync Direction Allowed

The parameter statement SYNCH₋₋ DIRECTION₋₋ ALLOWED, is optional andsets valid values for current synch direction that can be specified inthe SYNCH₋₋ DIRECTION₋₋ INIT initialization parameter and in the #SCGLOBAL,SYNCH₋₋ DIRECTION command. The parameter values for thisstatement may be one of the following:

R1>R2 which will only allow the synch direction to be set to primary(R1) to secondary (R2) or NONE;

R1<R2 which will only allow the synch direction to be set to secondary(R2) to primary (R1) or NONE;

R1<>R2 which will allow the synch direction to be set to any validsetting; or

NONE which will only allow the synch direction to be set to NONE.

If this parameter is not specified, SYNCH₋₋ DIRECTION₋₋ ALLOWED defaultsto R1>R2. When NONE is specified for SYNCH₋₋ DIRECTION₋₋ ALLOWED, the#SC VOL command parameters VALIDATE and INVALIDATE will not function.The format of this parameter statement is as follows:

SYNCH₋₋ DIRECTION₋₋ ALLOWED=R1>R2.linevert split.R1<R2.linevertsplit.R1<>R2.linevert split.NONE For example: SYNCH₋₋ DIRECTION₋₋ALLOWED=R1>R2

(b) Synch Direction Init

The parameter statement SYNCH₋₋ DIRECTION₋₋ INIT, is optional and setsthe synchronization direction at the time the host remote mirroringsoftware is started. The current SYNCH₋₋ DIRECTION may be changed usingthe #SC GLOBAL,SYNCH₋₋ DIRECTION command. The parameter values for thisstatement may be R1>R2 which specifies that VALIDATE is allowed only onsecondary (R2) volumes and INVALIDATE is allowed only on primary (R1)volumes, or R1<R2 which specifies that VALIDATE is allowed only onprimary (R1) volumes and INVALIDATE is allowed only on secondary (R2)volumes, or NONE. If this parameter is not specified, SYNCH₋₋DIRECTION₋₋ INIT defaults to NONE. The format of this parameterstatement is as follows:

SYNCH₋₋ DIRECTION₋₋ INIT=R1>R2.linevert split.R1<R2.linevert split.NONE

For example: SYNCH₋₋ DIRECTION₋₋ INIT=R1<R2

This parameter must not conflict with SYNCH₋₋ DIRECTION₋₋ ALLOWED and istherefore subject to all constraints set by SYNCH₋₋ DIRECTION₋₋ ALLOWED.This parameter may be changed with the #SC GLOBAL,SYNCH₋₋ DIRECTIONcommand.

(2) Host Remote Mirroring Software Status Commands

These commands allow an operator to view various aspects of remotemirroring status.

#HELP

The HELP commend displays all available host remote mirroring softwarecommands.

#SQ ADC

The SQ ADC command displays the adaptive copy skew values for thespecified volumes(s).

Format: #SQ ADC, cuu, count.linevert split.ALL

Parameters: cuu Specifies the host device number for the volume

count Specifies the number of devices for which to display adaptive copyinformation. This value can be set from 1 to 256 (decimal) or ALL. Ifthis parameter is not specified, count defaults to 1.

Comments: Only the source (R1) volumes in adaptive copy mode (disk orwrite pending) are displayed.

Example: #SQ ADC,F00,5

This example displays the following fields:

1. host device number.

2. First device address (hex) on the host channel.

3. Control unit device number in hex.

4. Remotely mirrored device number in hex.

5. Adaptive Copy mode in effect. Valid values are Adaptive Copy--WritePending mode (AW), or Adaptive Copy--Disk mode (AD).

6. Current skew value--for Adaptive Copy--Write Pending mode, it is thenumber of writes pending for the target (R2) volume. For the AdaptiveCopy--Disk mode, it is the number of tracks marked as out-of-syncbetween the source (R1) and the target (R2) volume.

7. Adaptive copy maximum skew value for device(s). Range=1 to 999,999(decimal).

#SQ CNFG

The SQ CNFG command displays the status of the data storage system. Itlists the serial number of the data storage system, the amount of cachememory installed, the controller emulation type, the microcode level,the data storage system IDs and their associated number of devices, andthe adapter type and layout.

Format: #SQ CNFG, cuu

Parameters: cuu specifies the host device number.

Comments: Issue this command to determine the location of the linkadapters in the data storage system for the remote mirroring operations.

Example: #SQ CNFG,500

This example causes the following fields to be displayed:

1. data storage system serial number.

2. Cache size in megabytes.

3. Controller emulation type.

4. Microcode level.

5. Data storage system ID(s) with associated number of devices.

6. Microcode patch level and date.

7. Maximum number of tracks to allow to be out of synchronization

8. (through 23) Data storage system adapter types. Valid values are:DA=Disk Adapter, CA=Parallel Channel Adapter, EA=Serial Channel Adapter,SA=Fast-Wide SCSI Channel Adapter, LA=link adapter.

#SQ GLOBAL

The SQ GLOBAL command displays the settings for the various globalparameters including the current host remote mirroring software version,the current and allowed synch directions, the status of messageprocessing and the size of a message table, and setting for anOPERATOR₋₋ VERIFY initialization parameter.

Format: #SQ GLOBAL

Example: #SQ GLOBAL

The example displays the following fields:

1. The host remote mirroring software version.

2. The current synchronization direction. Valid values are NONE, R1>R2,and R1<R2.

3. The status of message processing. Valid values are Yes, "nnn" or No.The value "nnn" is the number of messages that can be held in themessage table.

4. The setting for operator verification. Valid values are ALL, NONE, orCRITICAL.

5. The allowable synchronization directions as specified in theinitialization parameters. Valid values are NONE, R1>R2, R1<R2, orR1<>R2.

#SQ LINK

The SQ LINK command displays the port connection and online/offlinestatus of individual link adapters. It also displays the averageinput/output's per second during a short interval, and the totalinput/output's since the last data storage system initial microcodeload.

Format: #SQ LINK, cuu

Parameters: cuu Specifies the host device number.

Example: #SQ LINK,600

This example displays the following fields:

1. host device number.

2. Adapter number of the link adapter in hex.

3. Link adapter type.

4. Number of ports.

5. Port connection status (Y=link path established; N=no link pathestablished). This field corresponds left to right as to the ports onthe board. The ports on the board are top to bottom.

6. Link status. Valid values are ONLINE or OFFLINE.

7. Short interval duration during which the average number of startinput/output commands are calculated. This timer resets approximatelyevery 10 minutes or when a data storage system initial microcode loadoccurs or utility reset command is issued.

8. Average input/output's per second over the short time interval.

9. Time since last data storage system initial microcode load or lastutility reset command issued from the service processor.

10. Total start input/output commands since last data storage systeminitial microcode load or last utility reset command.

#SQ MSG

The SQ MSG command displays any remote mirroring error or informationalmessages presented to the host console if the message processing startupoption was selected. These messages can be generated by any data storagesystem in the remote mirroring configuration.

Format: #SQ MSG count.linevert split.ALL

Parameters: count Specifies the number of messages to display. Thisvalue can be set from 1 to the size of the message log (as specified ina MESSAGE₋₋ PROCESSING initialization parameter) or ALL. If thisparameter is not specified, count defaults to 1.

Comments: This command, when issued with the ALL parameter, displays allmessages currently held in the message log. The newest messages willappear at the top of the display and the oldest messages at the bottomof the display.

Example: #SQ MSG,ALL

This example displays the following fields:

1. Date of Error condition.

2. Time of error condition.

3. Reporting device address.

4. Device experiencing error (data storage system device number).

5. Device volser of device reporting the error.

6. Control unit system ID.

7. Data storage system message. Valid remote mirroring messages include:DYNAMIC SPARING INVOKED, TARG VOLUME RESYNC W/PRIMARY, PRIMARY VOLUMERESYNC W/SECONDARY, R1 VOL NOT READY STATE, R1 VOL WRITE DISABLED, R2VOLUME IN NOT RDY STATE, ADAPTER LINK PROBLEM, RESYNC PROCESS HAS BEGUN,ADAPTER LINK OPERATIONAL. Valid migration Messages are similar exceptsubstitute "DATA MIGRATION COMP ON VOL" for "PRIMARY VOLUME RESYNCW/SECONDARY".

#SQ SSID

The SQ SSID command displays the data storage system IDs known to thehost operating system and the number of devices associated with themduring the remote mirroring initialization.

Format: #SQ SSID, count.linevert split.ALL

Parameters: count Specifies the number of data storage system IDs todisplay. This value can be set from 1 to 64 (decimal) or ALL. If thisparameter is not specified, count defaults to 1.

Comments: Setting the parameter value to ALL displays all data storagesystem IDs found with devices online to the host.

Example: #SQ SSID,ALL

This example displays the following fields:

1. System ID.

2. Number of devices (in hex) that have been known to be online for thisstorage system ID.

3. Flags.

x`80`1... . . . EMC Corp. SYMMETRIX data storage system

x`40`.1.. . . . EMC Corp. data storage system 5xxx Series

x`20`..1. . . . 3990 controller emulation

x`10`...1 . . . DEV number is valid. Treat this field as a bit mask.More than one of these bits may be on at a given time. For example, avalue of "F0" indicates that the controller is a EMC SYMMETRIX datastorage system, 5xxx Series, in 3990 mode, and that the device numbersare valid. An IBM Corp. model 3990 data storage system would have ax`20` flag.

4. First cuu found for this data storage system ID.

5. First device address (hex) on the host channel.

6. First data storage system device number.

7. Last cuu found for this data storage system ID.

8. Last device address (hex) on the host channel.

9. Last data storage system device number.

#SQ VOL

The SQ VOL command displays the status of individual remote mirroringvolumes including online, offline, synchronization state, writeprotection state, remote mirroring mode of operation, etc. Format: #SQVOL, cuu, count.linevert split.ALL.linevert split.INV₋₋ TRKS

Parameters: cuu Specifies the host device number

count Specifies the number of devices to display.

This value can be set from 1 to 256 (decimal), or ALL, or INV₋₋ TRKS. Ifthis parameter is not specified, count defaults to 1.

Comments: Only remote mirroring volumes display INV₋₋ TRK values. Thecount parameter can display either a range of remote mirroring devices,or the status of ALL remote mirroring devices on a specified controlunit, or only those remote mirroring devices with an invalid trackscount.

Example: #SQ VOL,600,8

This example displays the following fields:

1. Host device number. Field 1 displays "????" for devices not onlineduring startup or put online after the last SC GLOBAL,SSID₋₋ REFRESHcommand.

2. First device address (hex) on the host channel. Field 2 displays "??"for devices not online during startup or put online after the last SCGLOBAL,SSID₋₋ REFRESH command.

3. Data storage system device number in hex.

4. Remotely mirrored logical volume number in hex.

5. Device volser. If the device was online at system initialization orduring a SC GLOBAL,SSID₋₋ REFRESH, the volser is from a systemconfiguration control block (UCB); otherwise, it is the volser assignedto the device when the data storage system was installed.

6. Total number of cylinders on volume.

7. Host device status. Valid values are:

NOSCHIB=no sub-channel for device,

HOT-IO=device is in hot input/output status,

PDA-PRV=pending offline, allocated, mounted private,

PDA-PUB,=pending offline, allocated, mounted public,

PDA-STG=pending offline, allocated, mounted storage,

OFFLINE=device offline to the host,

ON-PRV=online, mounted private,

ON-PUB=online, mounted public,

ON-STG=online, mounted storage,

ONA-PRV=online allocated, mounted private,

ONA-PUB=online allocated, mounted public,

ONA-STG=online allocated, mounted storage,

N/A=the system configuration control block (UCB) was not available.

8. Number of open DCBs.

9. Control Unit status. Format is xxx-yy-z. Valid values are: xxx=R/W(read/write mode), xxx=R/O (read only mode), xxx=N/R (not ready mode),xxx=RNR (RDF devices globally not ready), xxx=TNR (secondary (R2) notready; this status indicates that communication between the remotemirroring pair is currently inactive due to either the link is offline,the link path is physically unavailable or the remote mirroring pair isRDF-Suspended. Use the #SQ LINK command to determine whether the linksare online or offline, and the physical connection status of the links),yy=SY (Synchronous mode), yy=SS (Semi-Synchronous mode), yy=AW (AdaptiveCopy--Write Pending mode), yy=AD (device is configured for AdaptiveCopy--Disk mode), z=I (a secondary (R2) volume to go not ready if theprimary (R1) volume (its mirrored device) has invalid tracks onsecondary (R2) volume and a state of change has been requested on thesecondary (R2) volume), z=D (primary (R1) volume to go not ready ifsecondary (R2) volume is not ready--Domino mode).

10. Mirroring status. Valid values are:

R1=Remote mirror primary (R1) volume,

R2=Remote mirror secondary (R2) volume,

ML=Local mirror volume,

RS=Raid-S volume,

(blank)=unprotected device.

11. Primary (R1) volume invalid track count.

12. Secondary (R2) volume invalid track count.

13. Primary (R1)/secondary (R2) volume synchronization percentage.

(3) Host Remote Mirroring Software Configuration Commands

#STOP

The STOP command terminates the host remote mirroring software.

#SC CNFG

The SC CNFG command sets the number of invalid tracks allowed for theAdaptive Copy--Disk mode function.

Format: #SC CNFG, cuu, value

Parameters: cuu Specifies the host device number.

value Specifies the maximum allowable tracks (1 to 999,999 decimal outof synchronization for a specified volume.

Example: #SC CNFG,E00,250

This example sets the maximum allowable invalid tracks for the volumehaving device number E00 to 250.

#SC GLOBAL

The SC GLOBAL command, when used with the SSID₋₋ REFRESH parameter,causes the host remote mirroring software to "refresh" its internalcontrol blocks with information regarding any data storage systems,volumes, and volsers that have been brought online since the host remotemirroring software was started or the last refresh command was issued.

Format: #SC GLOBAL, SSID₋₋ REFRESH or

#SC GLOBAL, SYNCH₋₋ DIRECTION,R1>R2.linevert split.R1<R2.linevertsplit.NONE

Parameters: SSID₋₋ REFRESH Refreshes host remote mirroring softwareinternal control blocks with the latest information on data storagesystem IDs, devices, and volsers.

SYNCH₋₋ DIRECTION Sets current synchronization direction. Valid valuesare subject to restrictions set by the SYNCH₋₋ DIRECTION₋₋ ALLOWEDinitialization parameter.

Comments: Devices that have been taken offline are not deleted from hostremote mirroring software internal control blocks during the refreshprocessing. This allows the host remote mirroring software to maintainthe host device number to data storage system device number mapping tosimplify the entry of #SC VOL commands.

#SC LINK

The SC LINK command modifies the status of a link adapter.

Format: #SC LINK, cuu, dir#, state

Parameters: cuu Specifies the host device number

dirt# Specifies the link adapter number. Valid values are 01-10 (hex) orALL.

state Specifies the states of the specified link adapter(s). Validvalues are OFFLINE and ONLINE.

Comments: The adapter number specified must be a link adapter. Ifnecessary, issue the #SQ CNFG command to determine the link adapternumbers. When ALL is specified as the dir# parameter value, therequested state of change will be applied to all link adapters.

#SC MSG

The SC MSG command, when used with the RESET parameter, clears themessage log.

Format: #SC MSG,RESET

Parameters: RESET Clears the message log of all entries.

#SC VOL

The SC VOL command modifies the status of remote mirroring volumes. This(configuration command provides the ability to set the remote mirroringoperational mode. All #SC VOL commands require the operator to confirmthe action specified, unless this has been disabled by the OPERATOR₋₋VERIFY sysparm. This confirmation is necessary as some actions mayresult in loss of data if performed incorrectly. For example, only onevolume in a remotely mirrored pair may be read/write-enabled when thedevices are remote mirror suspended. The requirement for confirmationmay be bypassed based on the value specified for the OPERATOR₋₋ VERIFYinitialization parameter.

Format: #SC VOL, cuu, action, dev#, value

Parameters: cuu Specifies the host device number.

action See the table of possible actions below.

dev# Specifies the data storage system device number. Valid values are00 to FF (hex) and ALL. Used with the ADCOPY₋₋ DISK option.

value This value represents the maximum skew value for the device(s) inadaptive copy mode.

Comments: If a data storage system device number is specified, it mustbe a valid device type (R1 or R2) for that action. If ALL is specifiedfor the dev# parameter, the host device number may be any device type,but the action will be performed only on the valid device types. If nodev# parameter is specified, then the host remote mirroring softwarewill attempt to use the cuu to determine the data storage system devicenumber on which to perform the action.

    ______________________________________                                        Table of Possible Actions                                                     R1 = primary volume, R2 = secondary volume                                    Action Valid                                                                            Volume Type                                                                              Description                                              ______________________________________                                        R/W       R2         Make secondary (R2) device(s) read                                            and write enabled. This allows a                                              secondary (R2) to be written to                                               from the channel. Please note that                                            if you write to the secondary (R2)                                            device, you should perform testing                                            and recovery procedures.                                 R/O       R2         Make secondary (R2) device(s)                                                 read-only. When a secondary (R2)                                              volume is in this status, any                                                 attempt to issue a write from the                                             channel produces an input/output                                              error.                                                   RDY       R2         Make secondary (R2) device(s) ready                                           to the host.                                             NRDY      R2         Make secondary device(s) not ready.                                           In this state, the secondary (R2)                                             volume responds "intervention                                                 required" to the host for all read                                            and write operations to that                                                  volume. This is the default state                                             for a secondary (R2) volume.                             SYNC      R1         Set primary (R1) device to the                                                synchronous mode. This is a remote                                            mirroring mode of operation that                                              ensures 100% synchronized mirroring                                           between the two data storage                                                  systems.                                                 SEMI-SYNC R1         Set primary (R1) device to the                                                semi-synchronous mode. This is an                                             remote mirroring mode of operation                                            that provides an asynchronous mode                                            of operation.                                            DOMINO    R1         Enable volume domino mode for                                                 primary (R1) device. This ensures                                             that the data on the primary (R1)                                             and secondary (R2) volumes are                                                fully synchronized at all times in                                            the event of a failure.                                  NDOMINO   R1         Disable volume domino mode for                                                primary (R1) device. During this                                              default operating condition, a                                                primary (R1) volume continues                                                 processing input/outputs with its                                             host even when an remote mirroring                                            volume or link failure occurs.                                                These failures cause loss of                                                  primary (R1) and secondary (R2)                                               synchronization. When the failure                                             is corrected, the devices begin                                               synchronizing.                                           RDF-RDY   R2/R1      Set volume ready to the host for                                              remote mirroring operation. This                                              action is valid for both primary                                              (R1) and secondary (R2) volumes.                         RDF-NRDY  R2/R1      Set volume not ready to the host                                              for remote mirroring operation.                                               This action is valid for both                                                 primary (R1) and secondary (R2)                                               volumes.                                                 ADCOPY-WP R1         Enable adaptive copy - write                                                  pending function for primary (R1)                                             device. When this attribute is                                                enabled, data storage system                                                  acknowledges all writes to primary                                            (R1) volumes as if they were local                                            volumes.                                                 NADCOPY   R1         Disable Adaptive Copy Function for                                            primary (R1) device. Please note                                              that when switching from adaptive                                             copy - disk mode to adaptive copy -                                           write mode or from adaptive copy -                                            write mode to adaptive copy -disk                                             mode, this command must first be                                              used before setting the new                                                   adaptive copy mode. Please note                                               that when this command is issued to                                           remove a device from adaptive copy                                            mode, the state change will not                                               take place until the volumes are                                              synchronized.                                            ADCOPY-DISK                                                                             R1         Place the specified device(s) in                                              adaptive copy disk mode.                                 ADC-MAX   R1         Set the adaptive copy maximum skew                                            value for the device(s). Example:                                             #SC VOL,F00,ADC-MAX,,80. The                                                  maximum skew value may be speci-                                              fied in the range of 1-999999. This                                           command may only be entered when                                              the device is in one of the                                                   supported adaptive copy modes.                                                Setting the skew value too high in                                            Adaptive Copy - Write Pending mode                                            could result in excessive cache use                                           adversely affecting data storage                                              system performance.                                      RDF-SUSP  R1         Suspend remote mirroring operation                                            on specified device. If the device                                            is already suspended, this action                                             is ignored.                                              RDF-RSUM  R1         Resume remote mirroring operation                                             on specified device. This action                                              is only valid if the device was                                               previously suspended via a                                                    successful RDF-SUSP action or                                                 INVALIDATE action.                                       VALIDATE  R1/R2      Make all tracks for a primary (R1)                                            volume valid on a secondary (R2)                                              volume. When                                                                  SYNCH.sub.-- DIRECTION=R1>R2                                                  this action code makes all tracks                                             from a primary (R1) volume valid on                                           secondary (R2) volumes. When                                                  SYNCH.sub.-- DIRECTION=R1<R2 this                                             action code makes a primary (R1)                                              volume not ready and prepares it to                                           be re-synched from the secondary                                              (R2) volume using RDF-RSUM. It                                                makes all tracks for a secondary (R2)                                         volume valid on the primary                                                   (R1) volume.                                             INVALIDATE                                                                              R1         Make all tracks invalid for a                                                 secondary (R2) volume on a primary                                            (R1) volume. When                                                             resynchronization begins, all                                                 primary (R1) volume tracks are                                                copied to the secondary (R2)                                                  volume.                                                  ______________________________________                                    

(4) Data Migration Query Commands

#SQ VOL₋₋ MGR

The SQ VOL₋₋ MGR command displays the status of individual datamigration volumes. It also displays the host system level informationfor each device if it was online during system startup.

Format: #SQ VOL₋₋ MGR, cuu, count.linevert split.ALL.linevertsplit.NOT₋₋ COMPLETE

Parameters: cuu Specifies the host device number

count Specifies the number of devices to display.

Possible values are 1 to 256 (decimal), ALL, or NOT₋₋ COMPLETE.

Comments: The count parameters can display the migration status of alldata storage system volumes accessible through that control unit (ALL),a specific number of data storage system devices, or only those datastorage system devices that have not completed migration (NOT₋₋COMPLETE).

Example: #SQ VOL₋₋ MGR,600,3

This example displays the following fields:

1. Host device number. Field 1 displays "????" for devices not onlineduring startup or put online after the last SC GLOBAL,SSID₋₋ REFRESHcommand.

2. First device address (hex) on the host channel. Field 2 displays "??"for devices not online during startup or put online after the last SCGLOBAL,SSID₋₋ REFRESH command.

3. Control unit device number in hex.

4. Migration device number in hex.

5. Device volser. If the device was online at system initialization orduring a SC GLOBAL,SSID₋₋ REFRESH, the volser is from the UCB;otherwise, it is the volser assigned to the device when the data storagesystem was installed.

6. Data Migration device status. Valid values are:

READY=data storage system device is ready to host;

NRDY=data storage system device is not ready to host;

NR-MIG=data storage system device is not ready for migration.

7. Original data storage system invalid track count.

8. Data storage system volume invalid track count.

9. Remaining tracks to migrate.

10. Total tracks on volume.

11. Percentage of tracks migrated to data storage system device.

12. Migration rate. Possible values are:

MAX=maximum migration rate;

FST=fast migration rate;

MED=medium migration rate;

SLO=slow migration rate;

DEF=default migration rate (maximum).

13. Device data migration enabled indicator (Y/N).

(5) Data Migration Configuration Commands

#SC CNFG₋₋ MGR

The SC CNFG₋₋ MGR command modifies the global data migration rate ineffect for all data migration volumes.

Format: #SC CNFG₋₋ MGR, cuu, value

Parameters: cuu Specifies the host device number.

value Rate at which data storage system attempts to transfer data fromthe original DASD unit. Valid values are FAST, MEDIUM, or SLOW.

#SC VOL₋₋ MGR

The SC VOL₋₋ MGR command modifies the status of a data migration volume.This configuration command provides the ability to establish/stop idletime data migration for the specified volume(s) or all migration volumesand specify the data migration rate for specified or all data migrationvolumes. All #SC VOL₋₋ MGR commands require the operator to confirm theaction you have specified, unless this has been disabled by theOPERATOR₋₋ VERIFY sysparm. This confirmation is necessary as someactions may result in loss of data if performed incorrectly. Therequirement for confirmation may be bypassed based on the valuespecified on the OPERATOR₋₋ VERIFY initialization parameter.

Format: #SC VOL₋₋ MGR, cuu, action, dev#, rate

Parameters: cuu Specifies the host device number.

action See the table of possible actions below.

dev# Specifies the data storage system device number. Valid values are00 to FF (hex) and ALL.

rate Speed at which migration occurs. Valid values are MAXIMUM, FAST,MEDIUM, and SLOW.

Comments: If ALL is specified for the dev# parameter value, then alldata migration devices on that controller are affected by this commandaction. If no dev# parameter is specified, then the host remotemirroring software will attempt to use the cuu parameter to determinethe data storage system device number on which to perform the action.The rate parameter is only specified when DM₋₋ RATE is the action.

    ______________________________________                                        Table of Possible #SC VOL.sub.-- MGR Actions                                  Action       Description                                                      ______________________________________                                        DM.sub.-- COPY.sub.-- START                                                                Enable data migration copy process for the                                    specified device(s) during idle time.                            DM.sub.-- COPY.sub.-- STOP                                                                 Stop data migration copy process for the                                      specified device(s) during idle time; only                                    migrate data during normal input/output                                       operations                                                       DM.sub.-- RATE                                                                             Set data migration rate to value specified by                                 the rate parameter.                                              ______________________________________                                    

(6) Remote Mirroring Recovery Procedures Using Host RM Software

Following are specific examples of using the host remote mirroring (RM)software to perform data recovery procedures. "ccu" refers to the hostdevice number, and "dev#" refers to the data storage system logicalvolume number.

(a) Recovering Using a Remote Host

In the event of a disaster at a local site that renders all equipment(local CPU and data storage system) non-operational, perform thefollowing sequence of steps when using the remote data storage system torecover.

Write-enable all secondary (R2) volumes to the host at the remote siteby performing the following two steps:

1. Set all R2 volumes to a "ready" state to the remote host by typingthe following command:

#SC VOL,cuu,RDY,ALL

2. Write enable all volumes on the remote data storage system with aremote mirror designation (R2) by typing the following command:

#SC vol,cuu,R/W,ALL

All volumes at the remote data storage system are now available forinput/output operations with the host at that site. Before read/writeoperations can be resumed with the data storage system at the localsite, however, all secondary (R2) volumes at the remote data storagesystem must be set to read-only, not-ready to the host at the remotesite, and the resynchronization process established. (Failure to makethe secondary (R2) volumes read-only prior t:o bringing the local datastorage system online can result in data corruption and invalid tracksin both the primary (R1) and secondary (R2) volumes.) When the host anddata storage system at the local site are ready to be brought backonline, perform the following steps:

At the remote site, perform the following four steps:

1. Stop input/output operations with the remote data storage system andvary devices offline from the remote host.

2. Make all secondary (R2) volumes on the remote data storage systemread-only and not ready to the remote host (as per the originalconfiguration) by typing the following commands:

#SC VOL,cuu,R/O,ALL and

#SC VOL,cuu,NRDY,ALL

3. Enable all disk adapters on the remote data storage system.

4. Enable the link adapters on the remote data storage system.

At the site of the original disaster (local host and data storagesystem) perform the following seven steps:

1. Disable the adapters (channel adapters and RLDs) on the local datastorage system.

2. Reconnect the link cables from the location they were previouslydisconnected.

3. IPL the host system.

4. Power up the local data storage system.

5. Enable all disk adapters and link adapters. The two data storagesystems begin synchronizing. When the links synchronize, the remote datastorage system begins copying its data to the local data storage system.

6. Enable the channel adapters.

7. Have the user vary devices online to the local host and resumeoperations with the local data storage system.

The operator can view the status of the resynchronization process byissuing: #SQ VOL,cuu,INV₋₋ TRKS

(b) Testing Recovery Procedures

In a normal remote mirroring device relationship, the primary (R1)device may be synchronized with its secondary (R2) device or it maycontain updated tracks which the link adapter has not yet sent to thesecondary (R2) device (semi-synchronous or adaptive copy state). Inaddition, in a normal operating environment, the secondary (R2) volumeis in a read-only mode. The operator can test recovery procedures bywrite-enabling the secondary (R2) volumes. To write-enable a secondary(R2) volume, the operator must first suspend remote mirroring operationsbetween the primary (R1) and secondary (R2) volumes, make the devicesready, and then write-enable the secondary (R2) volumes.

(i) Suspending Remote Mirroring Operations

To suspend remote mirroring operations for a single pair, enter thefollowing command at the host with access to the primary (R1) volume:#SC VOL,cuu,RDF-SUSP,dev#. To suspend remote mirroring operations forall remotely mirrored pairs, enter the following command at the hostwith access to the primary (R1) volume: #SC VOL,cuu,RDF-SUSP,ALL.

(ii) Making Volumes Ready

To make a secondary (R2) volume ready, enter the following command atthe host with access to the secondary (R2) volume: #SC VOL,cuu,RDY,dev#.To make all secondary (R2) volumes ready, enter the following command atthe host with access to the secondary (R2) volume: #SC VOL,cuu,RDY,ALL.

(iii) Write-Enabling Secondary (R2) Volumes

To write-enable the secondary (R2) volume, enter the following commandat the host with access to the secondary (R2) volume: #SCVOL,cuu,R/W,dev#. To write-enable all secondary (R2) volumes, enter thefollowing command at the host with access to the secondary (R2) volume:#SC VOL,cuu,R/W,ALL. Any primary (R1) volume configured with the dominoeffect option will go RNR (volumes not ready for remote mirroringoperation) when remote mirroring operations are suspended. To clear thisnot ready condition, the operator must disable the domino effect optionon those "not ready" volumes, and then enable those devices for remotemirroring operation using the RDF-RDY action with the #SC VOL command.

(iv) To Resume Remote Mirroring Operations

There are several ways to resume remote mirroring operations. The methodused will depend on the state of the remotely mirrored pair. Thissection describes the various methods. (WARNING! Any deviation from theprocedures described in this section may result in data corruption!Consult the table of primary (R1)/secondary (R2) volume status below forthe appropriate procedure to follow.)

Use the #SQ VOL command to determine the invalid track count of theprimary (R1) and secondary (R2) volumes.

    ______________________________________                                        Table of Primary (R1)/Secondary (R2) Volume Status                            Primary (R1) Volume                                                                        Secondary (R2) Volume                                                                         Procedure                                        ______________________________________                                        no invalid tracks                                                                          no invalid tracks                                                                             see Procedure 1                                  invalid tracks                                                                             no invalid tracks                                                                             see Procedure 1                                  no invalid tracks                                                                          invalid tracks  see Procedure 2                                  invalid tracks                                                                             invalid tracks  see Procedure 3                                  ______________________________________                                    

Procedure 1: No Invalid Tracks or Invalid Tracks on Primary (R1) VolumeOnly. Follow this procedure to resume remote mirroring operations whenthere are no invalid tracks on the secondary (R2) volume.

1. Make the secondary (R2) volume(s) on the data storage systemread-only by typing the following command at the host with access to thesecondary (R2) volume(s): #SC VOL,cuu,R/O[,dev#.linevert split.,ALL].

2. Make tile secondary (R2) volume(s) on the data storage system notready by typing the following command at the host with access to thesecondary (R2) volume(s): #SC VOL,cuu,NRDY[,dev#.linevert split.,ALL].

3. Resume remote mirroring operations by typing the following command atthe host with access to the primary (R1) volume(s): #SCVOL,cuu,RDF-RSUM,ALL

Procedure 2: Invalid Tracks on Secondary (R2) Volume Only.

Follow this procedure to resume remote mirroring operations when thereare no invalid tracks on the primary (R1) volume and invalid tracks onthe secondary (R2) volume. This procedure copies the information on theprimary (R1) volume to the secondary (R2) volume.

A. To Discard All Updates to the secondary (R2) Volume:

1. Verify that the current synchronization direction is set from primaryto secondary (R1→R2) by typing the following command: #SQ GLOBAL. Issuethe following command if it is necessary to change the currentsynchronization direction: #SC GLOBAL,SYNC₋₋ DIRECTION,R1>R2.

2. Make the secondary (R2) volume(s) on the data storage systemread-only by typing the following command at the host with access to thesecondary (R2) volume(s): #SC VOL,cuu,R/O[,dev#.linevert split.,ALL]

3. Make the secondary (R2) volume(s) on the data storage system notready by typing the following command at the host with access to thesecondary (R2) volume(s): #SC VOL,cuu,NRDY[,dev#.linevert split.,ALL].

4. Determine which secondary (R2) volumes have a non-zero R1 INV₋₋ TRKSvalue by typing: #SQ VOL,cuu,INV₋₋ TRKS.

5. For all secondary (R2) volumes with non-zero R1 INV₋₋ TRKS values:From the host with access to the secondary (R2) volume:

a. Validate all invalid tracks for the primary (R1) volume(s) on thesecondary (R2) volume by typing: #SC VOL,cuu,VALIDATE[,dev#.linevertsplit.,ALL] (`dev#`=secondary (R2) volume with an R1 INV₋₋ TRKS valuegreater than 0).

b. Repeat step a for each secondary (R2) volume with a non-zero R1 INV₋₋TRKS value for a primary (R1) volume. If ALL is the specified parameterthen step b is not necessary.

6. Verify all secondary (R2) volumes have an R1 INV₋₋ TRKS value equalto 0 by typing : #SQ VOL,cuu,INV₋₋ TRKS.

7. For all primary (R1) volumes whose secondary (R2) volume (R2) waswrite-enabled and had an R1 INV₋₋ TRK value greater than 0 (prior tostep 2 above): From the host with access to the primary (R1) volume:

a. Invalidate all valid tracks for the secondary (R2) volume on theprimary (R1) volume by typing: #SC VOL,cuu,INVALIDATE[,dev#.linevertsplit.,ALL] (`dev#`=primary (R1) volume whose secondary (R2) volume hadan R1 INV₋₋ TRKS value greater than 0). The host remote mirroringsoftware will monitor the process of invalidating all secondary tracksuntil complete. This may take up to two minutes on a heavily loadedcontroller. The host remote mirroring software will not perform any newremote mirroring commands during this process.

8. Resume remote mirroring operation from the host with access to theprimary (R1) volumes by typing the following command: #SCVCL,cuu,RDF-RSUM,ALL. Those primary (R1) and secondary (R2) volumes withinvalid tracks will begin to synchronize. To view the synchronizationprocess on any device, display that device using the SQ VOL command.

B. To Retain Updates on the Secondary (R2) Volume:

This procedure copies the information on the secondary (R2) volume tothe primary (R1) volume.

1. Verify that the synchronization direction is set from secondary toprimary (R1<R2) by typing the following command: #SQ GLOBAL. Issue thefollowing command if it is necessary to change the currentsynchronization direction: #SC GLOBAL,SYNC₋₋ DIRECTION,R1<R2.

2. Make the secondary (R2) volume(s) on the data storage systemread-only by typing the following command at the host with access to thesecondary (R2) volume(s): #SC VOL,cuu,R/O[,dev#.linevert split.,ALL]

3. Vary the R1 device offline to the host: V cuu,OFFLINE.

4. Make the primary (R1) device unavailable to the host: #SCVOL,cuu,RDF-NRDY.

5. Determine which secondary (R2) volumes have a non-zero R1 INV₋₋ TRKSvalue by typing: #SQ VOL,cuu,INV₋₋ TRKS.

6. For all secondary (R2) volumes with non-zero R1 INV₋₋ TRKS values:From the host with access to the primary (R1) volume:

a. Set R2 invalid tracks to zero and prepare the primary (R1) volume forsynchronization by typing: #SC VOL,cuu,VALIDATE[,dev#.linevertsplit.,ALL] (`dev#`=primary (R1) volume whose secondary (R2) volume hasan R1 INV₋₋ TRKS value greater than 0).

b. Repeat step a for each primary (R1) volume with a non-zero R2 INV₋₋TRKS value for a secondary (R2) volume. If ALL is the specifiedparameter then step b is not necessary.

7. Resume remote mirroring operation from the host with access to theprimary (R1) volumes by typing the following command: #SCVOL,cuu,RDF-RSUM[,dev#.linevert split.,ALL]. Those primary (R1) andsecondary (R2) volumes with invalid tracks will begin to synchronize. Toview the synchronization process on any device, display that deviceusing the # SQ VOL command from the host with access to the primary (R1)volume(s).

8. Make the R1 device available to the host: #SC VOL,cuu,RDF-RDY.

9. Vary the R1 device online to the host: V cuu,online.

Procedure 3: Invalid Tracks on both Primary (R1) and Secondary (R2)Volumes. Follow this procedure to resume remote mirroring operationswhen there are invalid tracks on both the primary (R1) volume and thesecondary (R2) volume. To retain primary (R1) volume updates and discardsecondary (R2) volume updates, follow procedure 2A above. To retainsecondary (R2) volume updates and discard primary (R1) volume updates,follow procedure 2B above.

Modifications and substitutions by one of ordinary skill in the art areconsidered to be within the scope of the present invention, which is notto be limited except by the claims which follow.

What is claimed is:
 1. A data processing system comprising:a first datastorage system; a second data storage system; and a data link coupledbetween said first data storage system and said second data storagesystem for transmission of remote copy data from said first data storagesystem to said second data storage system; wherein said first datastorage system is operational in a remote copy mode in which data isstored in a primary volume of data storage in said first data storagesystem and is transmitted over said data link and stored in a respectivesecondary volume of data storage in said second data storage system; andsaid first data storage system includes a controller for detecting anoccurrence of a disruption in operation of the data processing systempreventing an access to said primary volume, and upon detecting saidoccurrence of said disruption in operation of the data processing systempreventing said access to said primary volume, checking whether anautomatic recovery mode has been preselected for said primary volume,andwhen said automatic recovery mode has been preselected for saidprimary volume, automatically accessing said secondary volume in lieu ofsaid primary volume, and when said automatic recovery mode has not beenpreselected for said primary volume, not automatically accessing saidsecondary volume and instead signaling that intervention is required. 2.The data processing system as claimed in claim 1, wherein the datastorage in the first data storage system and the data storage in thesecond data storage system are configured to define volume pairs, eachvolume pair including a primary volume in one of the first data storagesystem and the second data storage system and a corresponding secondaryvolume in another of the first data storage system and the second datastorage system, said volume pairs including primary volumes each havingan attribute for selecting or not selecting said automatic recoverymode.
 3. The data processing system as claimed in claim 1, wherein saidcontroller has control logic for detecting an occurrence of a disruptionin operation of the data processing system preventing an access to saidsecondary volume, and upon detecting said occurrence of said disruptionin operation of the data processing system preventing said access tosaid secondary volume, checking whether said automatic recovery mode hasbeen preselected for said secondary volume, andwhen said automaticrecovery mode has been preselected for said secondary volume,automatically accessing said primary volume in lieu of said secondaryvolume, and when said automatic recovery mode has not been preselectedfor said secondary volume, not automatically accessing said primaryvolume and instead signaling that intervention is required.
 4. The dataprocessing system as claimed in claim 1, wherein the data storage insaid first data storage system and in said second data storage systemare configured to define volume pairs, each volume pair including aprimary volume in one of the first data storage system and the seconddata storage system and a corresponding secondary volume in another ofthe first data storage system and the second data storage system, eachvolume pair having an attribute for selecting or not selecting saidautomatic recovery mode with respect to the primary volume and thesecondary volume in said each volume pair.
 5. The data processing systemas claimed in claim 1, wherein the controller includes control logic forsending an "intervention required" message to an operating system of ahost computer in order to signal that intervention is required.
 6. Adata storage system comprising:primary data storage; and a data storagecontroller programmed to operate in a remote copy mode in which data isstored in a primary volume of the primary data storage and istransmitted over a data link to remote data storage for storage in arespective secondary volume of the remote data storage; wherein saiddata storage controller is further programmed to detect an occurrence ofa disruption in operation of the data storage system preventing anaccess to said primary volume, and upon detecting said occurrence ofsaid disruption in operation of the data storage system preventing saidaccess to said primary volume, to check whether an automatic recoverymode has been preselected for said primary volume, andwhen saidautomatic recovery mode has been preselected for said primary volume, toautomatically access said secondary volume in lieu of said primaryvolume, and when said automatic recovery mode has not been preselectedfor said primary volume, to not automatically access said secondaryvolume and instead to signal that intervention is required.
 7. The datastorage system of claim 6, wherein said data storage controller isprogrammed to detect an occurrence of a disruption in operation of thedata storage system preventing an access to said secondary volume, andupon detecting said occurrence of said disruption in operation of thedata storage system preventing said access to said secondary volume, tocheck whether said automatic recovery mode has been preselected for saidsecondary volume, andwhen said automatic recovery mode has beenpreselected for said secondary volume, to automatically access saidprimary volume in lieu of said secondary volume, and when said automaticrecovery mode has not been preselected for said secondary volume, to notautomatically access said primary volume and instead to signal thatintervention is required.
 8. A program storage device readable by a datastorage system, said program storage device encoding a program forexecution by the data storage system for controlling operation of thedata storage system in a remote copy mode in which data is stored in aprimary volume of primary data storage of the data storage system and istransmitted over a data link to remote data storage for storage in arespective secondary volume of the remote data storage;wherein saidprogram is executable by the data storage system to detect an occurrenceof a disruption in operation of the data storage system preventing anaccess to said primary volume, and upon detecting said occurrence ofsaid disruption in operation of the data storage system preventing saidaccess to said primary volume, to check whether an automatic recoverymode has been preselected for said primary volume, and when saidautomatic recovery mode has been preselected for said primary volume, toautomatically access said secondary volume in lieu of said primaryvolume, and when said automatic recovery mode has not been preselectedfor said primary volume, to not automatically access said secondaryvolume and instead to signal that intervention is required.
 9. Theprogram storage device as claimed in claim 8, wherein said program isexecutable by the data storage system to detect an occurrence of adisruption in operation of the data storage system preventing an accessto said secondary volume, and upon detecting said occurrence of saiddisruption in operation of the data storage system preventing saidaccess to said secondary volume, to check whether said automaticrecovery mode has been preselected for said secondary volume, andwhensaid automatic recovery mode has been preselected for said secondaryvolume, to automatically access said primary volume in lieu of saidsecondary volume, and when said automatic recovery mode has not beenpreselected for said secondary volume, to not automatically access saidprimary volume and instead to signal that intervention is required. 10.A method of recovering from disruptions in a data processing system,said data processing system having a first data storage system, a seconddata storage system, and a data link coupled between said first datastorage system and said second data storage system for transmission ofremote copy data from said first data storage system to said second datastorage system; said method comprising the steps of:(a) configuring thedata storage in said first data storage system and in said second datastorage system to define volume pairs each including a primary volume insaid first data storage system and a corresponding secondary volume inthe second data storage system, said volume pairs including primaryvolumes each having an attribute for selecting or not selecting anautomatic recovery mode; (b) operating said data processing system in aremote copy mode in which data is stored in the primary volumes of datastorage in said first data storage system and is transmitted over saiddata link and stored in the corresponding secondary volumes of datastorage in said second data storage system; (c) detecting an occurrenceof a disruption in operation of the data processing system preventing anaccess to a primary volume having said attribute selecting saidautomatic recovery mode, and upon detecting said occurrence of saiddisruption in operation of the data processing system preventing saidaccess to the primary volume having said attribute selecting saidautomatic recovery mode, automatically accessing the secondary volume inthe volume pair including the primary volume having said attributeselecting said automatic recovery mode; and (d) detecting an occurrenceof a disruption in operation of the data processing system preventing anaccess to a primary volume having said attribute not selecting saidautomatic recovery mode, and upon detecting said occurrence of saiddisruption in operation of the data processing system preventing saidaccess to the primary volume having said attribute not selecting saidautomatic recovery mode, not automatically accessing the secondaryvolume in the volume pair including the primary volume having saidattribute not selecting said automatic recovery mode, and insteadsignaling that intervention is required.
 11. The method as claimed inclaim 10, wherein said volume pairs include secondary volumes eachhaving an attribute for selecting or not selecting said automaticrecovery mode, and wherein said method further includes the steps of:(e)detecting an occurrence of a disruption in operation of the dataprocessing system preventing an access to a secondary volume having saidattribute selecting said automatic recovery mode, and upon detectingsaid occurrence of said disruption in operation of the data processingsystem preventing said access to the secondary volume having saidattribute selecting said automatic recovery mode, automaticallyaccessing the primary volume in the volume pair including the secondaryvolume having said attribute selecting said automatic recovery mode; and(f) detecting an occurrence of a disruption in operation of the dataprocessing system preventing an access to a secondary volume having saidattribute not selecting said automatic recovery mode, and upon detectingsaid occurrence of said disruption in operation of the data processingsystem preventing said access to the secondary volume having saidattribute rot selecting said automatic recovery mode, not automaticallyaccessing the primary volume in the volume pair including the secondaryvolume having said attribute not selecting said automatic recovery mode,and instead signaling that intervention is required.
 12. The method asclaimed in claim 10, wherein the first data storage system sends an"intervention required" message to an operating system of a hostcomputer in order to signal that intervention is required.
 13. A dataprocessing system comprising:a first data storage system; a second datastorage system; and a data link coupled between said first data storagesystem and said second data storage system for transmission of data fromsaid first data storage system to said second data storage system;wherein said first data storage system is operational in a remote copymode in which remote copy data is stored in data storage in said firstdata storage system and is transmitted over said data link and stored indata storage in said second data storage system; and said first datastorage system includes a controller for detecting a failure of saiddata link preventing the remote copy data from being transmitted to saidsecond data storage system for storage in the data storage in saidsecond data storage system, and upon detecting said failure of said datalink preventing the remote copy data from being transmitted to saidsecond data storage system for storage in the data storage in saidsecond data storage system, checking whether an automatic recovery modehas been preselected for use in case of link failure, andwhen saidautomatic recovery mode has been preselected for use in case of linkfailure, permitting continued access to the remote copy data in the datastorage in the first data storage system without intervention, and whensaid automatic recovery mode has not been preselected for use in case oflink failure, not permitting continued access to the remote copy data inthe data storage of the first data storage system without interventionand instead signaling that intervention is required.
 14. The dataprocessing system as claimed in claim 13, wherein the controllerincludes control logic for sending an "intervention required" message toan operating system of a host computer in order to signal thatintervention is required.
 15. A data storage system comprising:primarydata storage; and a data storage controller programmed to operate in aremote copy mode in which remote copy data is stored in the primary datastorage and is transmitted over a data link to remote data storage;wherein said data storage controller is further programmed to detect afailure of said data link preventing the remote copy data from beingtransmitted to said remote data storage, and upon detecting said failureof said data link preventing the remote copy data from being transmittedto said remote data storage, to check whether an automatic recovery modehas been preselected for use in case of link failure, andwhen saidautomatic recovery mode has been preselected for use in case of linkfailure, to permit continued access to the remote copy data in theprimary data storage without intervention, and when said automaticrecovery mode has not been preselected for use in case of link failure,to not permit continued access to the remote copy data in the primarydata storage without intervention and instead to signal thatintervention is required.
 16. A program storage device readable by adata storage system, said program storage device encoding a program forexecution by the data storage system for controlling operation in aremote copy mode in which remote copy data is stored in primary datastorage of the data storage system and is transmitted over a data linkto remote data storage, wherein said program s executable by the datastorage system to detect a failure of said data link preventing theremote copy data from being transmitted to said remote data storage, andupon detecting said failure of said data link preventing the remote copydata from being transmitted to said remote data storage, to checkwhether an automatic recovery mode has been preselected for use in caseof link failure, andwhen said automatic recovery mode has beenpreselected for use in case of link failure, to permit continued accessto the remote copy data without intervention, and when said automaticrecovery mode has not been preselected for use in case of link failure,to not permit continued access to the remote copy data withoutintervention and instead to signal that intervention is required.
 17. Amethod of operating a data processing system, said data processingsystem including a first data storage system, a second data storagesystem, a data link coupled between said first data storage system andsaid second data storage system for transmission of remote copy datafrom said first data storage system to said second data storage system,and a host computer coupled to said first data storage system for accessto data storage in said first data storage system; said methodcomprising the steps of:(a) selecting whether or not an automaticrecovery mode should be used in case of link failure; and then (b)operating said data processing system in a remote copy mode in whichremote copy data is stored in the data storage in said first datastorage system and is transmitted over said data link and stored in datastorage in said second data storage system; and (c) detecting a failureof said data link preventing data stored in the data storage in saidfirst data storage system from being transmitted to said second datastorage system for storage in the data storage in said second datastorage system, and upon detecting said failure of said data linkpreventing remote copy data stored in the data storage in said firstdata storage system from being transmitted to said second data storagesystem for storage in the data storage in said second data storagesystem, checking whether said automatic recovery mode has beenpreselected for use in case of link failure, andwhen said automaticrecovery mode has been preselected for use in case of link failure,permitting said host computer to continue to access the remote copy datain the data storage in the first data storage system withoutintervention, and when said automatic recovery mode has not beenpreselected for use in case of link failure, not permitting said hostcomputer to access the remote copy data in the data storage in the firstdata storage system without intervention and instead signaling thatintervention is required.
 18. The method as claimed in claim 17, whereinthe first data storage system includes means for sending an"intervention required" message to an operating system of said hostcomputer in order to signal that intervention is required.
 19. Themethod as claimed in claim 17, wherein said automatic recovery mode hasnot been preselected for use in case of link failure, said failure ofthe data link occurs preventing data stored in the data storage in saidfirst data storage system from being transmitted to said second datastorage system for storage in the data storage in said second datastorage system, and the host computer is prevented from accessing theremote copy data in the data storage of the first data storage systemfor read access and write access.